AND ADVANCED USERS 


ecur 


iA = 


~~ 


\ BASIC UNIX QUEUING TECHNIQUES y ss OUESECURECAN 
NG. er a ia SECURE SHERESSHIIBES 


SNIFFINGANDIRECOUFRINIE if me =e 
NETWORKINEORMATION ~ (Na 


| 
‘ 


DYNAMIC MEMORY ALLOCATION 


SNF a 855-GREP-4-1X 
eS as _ : 
te a =e ‘’ WWW iXs stems.com 
i a ae c | 5 y ; 
(am WX Systems ) 

. Me ] 1 

“ ry} i 

ic 4 f- eat 


: Enterprise Servers and Storage —— . ; # Professional In-House Support 


# Rock-Solid Performance 


se ee ell for Open Source 


High Performance, 
High Density Servers for 
Data Center, Virtualization, & HPC 


' Serres e— ie 
| —— +e _= =-f Gh 


ms | — i mee = . 

UP Freese re) | Ce inn eres ro) th Aan ened —l-4). 

| t = — = = 1 1 et =< 2 1 e = e 
= : : oat 


@) 4 
fy | " == a salah ik - 


. = 2 wal = =—— |i- 


AO med le | Oren ee —!--).. 
: - — ji] pes — f 


—, | 


http://www.iXsystems.com/e5 


768GB 


of RAM in 1U 


KEY FEATURES 
iIXR-22X4IB iIXR-1204+10G 
- Dual Intel® Xeon® Processors E5-2600 Family per node - Dual Intel® Xeon® Processors E5-2600 Family 
« Intel® C600 series chipset « Intel® C600 series chipset 
- Four server nodes in 2U of rack space « Intel® X540 Dual-Port 10 Gigabit Ethernet Controllers 
« Up to 256GB main memory per server node « Up to 16 Cores and 32 process threads 
« One Mellanox® ConnectX QDR 40Gbp/s Infiniband w/QSFP « Up to 768GB main memory 
Connector per node - Four SAS/SATA drive bays 
- 12 SAS/SATA drive bays, 3 per node ¢ Onboard SATA RAID 0, 1, 5, and 10 
« Hardware RAID via LSI2108 controller - 700W high-efficiency redundant power supply with 
« Shared 1620W redundant high-efficiency Platinum FC and PMBus (80%+ Gold Certified) 


level (91%+) power supplies 
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High-Density iXsystems Servers powered by the 
Intel® Xeon® Processor E5-2600 Family and Intel® 
C600 series chipset can pack up to 768GB of RAM 
into 1U of rack space or up to 8 processors - with 
up to 128 threads - in 2U. 


On-board 10 Gigabit Ethernet and Infiniband for Greater 
Throughput in less Rack Space. 


Servers from iXsystems based on the Intel® Xeon® Processor E5-2600 
Family feature high-throughput connections on the motherboard, saving 
critical expansion space. The Intel® C600 Series chipset supports up to 
384GB of RAM per processor, allowing performance in a single server to 
reach new heights. This ensures that you're not paying for more than you 
need to achieve the performance you want. 


The iXR-1204 +10G features dual onboard 10GigE + dual onboard 
1GigE network controllers, up to 768GB of RAM and dual Intel® Xeon® 
Processors E5-2600 Family, freeing up critical expansion card space for 
application-specific hardware. The uncompromised performance and 
flexibility of the iXR-1204 +10G makes it suitable for clustering, high-traffic 
webservers, virtualization, and cloud computing applications - anywhere 
you need the most resources available. 


For even greater performance density, the iXR-22X4IB squeezes four 
server nodes into two units of rack space, each with dual Intel® Xeon® 
Processors E5-2600 Family, up to 256GB of RAM, and an on-board Mellanox® 
ConnectX QDR 40Gbp/s Infiniband w/QSFP Connector. The iXR-22X4 IB is 
perfect for high-powered computing, virtualization, or business intelligence 
applications that require the computing power of the Intel® Xeon® Processor 
E5-2600 Family and the high throughput of Infiniband. 


Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries. 
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SECURITY 


Dear BSD Readers, 


his January issue of BSD is devoted to Unix Security. /t is the 
beginning of the year so we think that all of us have made some 
New Year resolutions. | think that all of us want to be happy and feel 
secure and that is why we created this issue devoted to Unix Security. 

Inside this BSD issue, we collected the articles written by experts in 
that field to provide you with best-quality knowledge. Enjoy your reading 
and develop with our Magazine! 

Inside this BSD issue, we publish the 3 articles by Mark Sitkowski. 
If you want to find out more on Unix security, you should read them 
all. We would like to highlight this one on Dynamic Memory Allocation 
in Unix Systems. 

Also, we recommend that you read Phillip’s article that will teach you 
how to use the Mac OS X hackers toolbox. This article can be extremely 
useful for all Mac users who aspire to be good security experts. 

Of course, please do not forget to read the 3rd part of Arkadiusz’s 
article on Virtual Private Networks supported by OpenSSH. And for 
dessert, please go to see what Rob wrote for you this time. We really 
like his column and are waiting for the next month eagerly. 

However, as long as we have our precious readers, we have a 
purpose. We owe you a huge THANK YOU. Everything we do, we do 
with you on our minds. We are grateful for every comment and opinion, 
either positive or negative. Every word from you lets us improve BSD 
magazine and brings us closer to the ideal shape of our publication, 
or, we Should say — your publication. 

Thank you BSD fans for your invaluable support and contribution. 


Ewa & BSD team 
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OGNmap: How to Use it 
Sahil Khan 

Nmap stands for “Network Mapper’. It's been seen in 
many films like the Matrix Reloaded, Bourne Ultimatum, 
Die Hard 4, etc. When Nmap was created, it could only be 
used on the Linux Platform but now it supports all the major 
OSes like Linux, UNIX, Windows, and Mac OS platforms. 
Sahil will teach you how to use it and why you should start. 


1S How to Use The Mac OS X Hackers 

Toolbox 

Phillip Wylie 
When you think of an operating system to run pen testing 
tools on, you probably think of Linux and more specifically, 
BackTrack Linux. BackTrack Linux is a great option and 
one of the most common platforms for running pen testing 
tools. If you are a Mac user, then you would most likely 
run a virtual machine of BackTrack Linux. In this article, 
Philip is going to take you through the installation and 
configuration of some of the most popular and useful 
hacking tools, such as Metasploit, on Mac OS X. If you 
are interested in maximizing the use of your Mac for pen 
testing and running your tools natively, then you should 
find this article helpful. 


= <1 Basic Unix Queuing Techniques 
Mark Sitkowski 

It occasionally happens that our incoming or outgoing data 
cannot be processed as it is generated or, for some reason, 
we choose to process it at a later time. A typical example 
might be a client-server system, where it is necessary to 
queue the socket descriptors of incoming connections 
because of some limit on the number of active processes, 
or a message hub, which accepts data synchronously, 
but must rely on other processes to remove the data 
asynchronously. Apart from the numerous commercially- 
available third party implementations of queuing systems, 
Unix has two highly efficient queuing mechanisms, which 
can be used for extremely low overhead systems of 
queues. Read Mark’s article to find out how Unix Queuing 
Techniques work. 


<3 OHow Secure can Secure Shell (SSH) be? 
Arkadiusz Majewski, Beng 

This article is the third part of the series on OpenSSH 

and configurations and includes tricks which make 

using the protocol more secure. Arkadiusz, in his article, 

concentrates on Virtual Private Networks supported by 

OpenSSH. 
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34 Unix Interprocess Communication 
Using Shared Memory 
Mark Sitkowski 
A shared memory segment is a section of RAM whose 
address is known to more than one process. The processes 
to which this address is known, have either read only, or 
read/write permission to the memory segment, whose 
access rights are set in the manner used by chmod. 


40 Sniffing and Recovering Network 

Information Using Wireshark 

Fotis Liatsis 
Wireshark is a free and open-source packet analyzer. 
It is used for network troubleshooting, analysis, software 
and communications protocol development, as well as 
education. Wireshark is cross-platform, using the GIK+ 
widget toolkit to implement its user interface and pcap to 
capture packets. It runs on various Unix-like operating 
systems including Linux, OS X, BSD, Solaris, and on 
Microsoft Windows. Fotis will show how easy it is to obtain 
sensitive data from snooping on a connection. The best 
way to prevent this is to encrypt the data that’s being sent. 
The most known encryption methods are SSL (Secure 
Sockets Layer) and TLS (Transport Layer Security). 


<6 Dynamic Memory Allocation in Unix 
Systems 
Mark Sitkowski 
It is not always possible, at compile time, to know how big 
to make all of our data structures. When we send an SQL 
query to the database, it may return twenty million rows, 
or it may return one. 


Column 


52 Technology makes a wonderful slave 
but a cruel master. Both Amazon 
and Tesco, major retailers in the UK 
and worldwide have been severely 
criticised in the media for the use of 
technology to control and monitor staff 
excessively. As IT professionals, where 
do we draw the ethical line in the sand? 
Rob Somerville 
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Nmap: How to Use It 


Nmap stands for “Network Mapper’. It’s been seen in many 
films like the Matrix Reloaded, Bourne Ultimatum, Die Hard 
4, etc. When Nmap was created, it could only be used on the 
Linux Platform but now it supports all the major OSes like 
Linux, UNIX, Windows, and Mac OS platforms. 


scanner, but now it can do the following things: re- 

mote OS detection, Time based Scanning, Firewall 
Evasion Technique, The Scripting Engine, Multi-probe 
Ping Scanning, etc... 


Z rom the beginning its only job was to be a port 


Installation of Nmap 
For the installation of Nmap, go to hitp://nmap.org/down- 
load.html. On this page you can find the following options: 


¢ Downloading Nmap 

¢ Source Code Distribution (in case you wish to com- 
pile Nmap yourself) 

¢ Microsoft Windows Binaries 

e¢ Linux RPM Source and Binaries 

¢ Mac OS X Binaries 

¢ Other Operating System 


Installation on Windows 

Select options as per your operating system. First, we'll 
see how to install it in Windows. Go to the Microsoft Win- 
dows Binaries. Now you can use Nmap in graphical mode 


* 
oti | rot apa 
ee 
— 
ea — Fy creep rena. pefioy 
“ 
“ae 
mL =} PevTubyi- 7 ey on | i YT as 
a fat) PLD) 
@ I Pevubpi apes | I rpg 
BD rent HN A vt redo — _ on 
Ww 


Figure 1. All Unzip Files 
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as well as command-line. For the command Line down- 
load click on 


Latest command-Line zipfile nmap-6.01-win32.zip + 
For the Graphical Version click on: 
Latest command-Line self-installer nmap-6.0l1-setup.exe + 


When the download is completed, you can find the fold- 
er named nmap-6.0. First unzip the folder. After un- 
Zipping, you can find the 3 directories and 26 files. 
In the three directories named License, nselib and 
scripts, there are now four executable files: nmap, 
winpcapnmap-4.12, VCEdistzZ003:. «86, 
The fifth important file is nmap _ performance.reg file 
and the others are supporting files for running nmap 
(there is also ncat, ndiff, nmapupdate, nping but now 
we are not going to discuss them). 

After that first of all run the winpcap-nmap-4.12 and in- 
stall the winpcap. Winpcap is a packet capture library. 
Then install vcedist2008 x86, vcredist_x86 and at last, 


VCreGIsSt _ x80: 
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Figure 2. Registy Entry 
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double-click on the nmap_performance.reg file. This file 
is used for the entry in [HKEY LOCAL MACHINE\SYSTEM\ 


CurrentControlSet\Services\Tcpip\Parameters] 
“MaxUserPort”=dword:0000fffe + 


In the Parameters section there will be an entry of 
dword:0000fffe, which is a hexadecimal value. In the bi- 
nary it’s 65534, which means the maximum user port 
is 65534: 


“TcpTimedWaitDelay”=dword:000000le + Tcp Timed 
wait delay is 30, + “StrictTimeWaitSeqCheck”=dword: 
00000001 and nmap is wait for the seq check is 1. + 


Now you can use nmap in Windows. Go into the in- 
stalled directory and give the simple command nmap 
10.0.0.5. In the figure below, you can see the result. 


Jer 
-<S3B-65:-B3 ¢Cradle yee it > 


Heap dene: 1 IP addeess ¢1 host up? seanned in 6.65 seconds 
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Figure 3. Ready to use in windows 
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Many popular Linux distributions (Redhat, Mandrake, Suse, etc) use the RPM package 
Tanagqenvent system for quick amd easy binary package installation. These may not work 
Redhat 9 or carer due te Libe incompatability issues. We have written 4 detailed qu 
installing our RPM packages, though these simple commands usually do the trick: 
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You can also download and install the RPMs yourself: 
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Figure 4. Downloading the rpm file 
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Installation on Ubuntu 

Step 1: downloading from GUI 

Visit the http:/nmap.org/download.html for Linux — you 
can download it from the shell and from the GUI interface. 
Go to the 4th option, Linux RPM Source and Binaries, 
shown in Figure 4. Click on nmap-6.01-1.1386.rom. Now it 
will download and you can see the 4.2 MB size. 


Step 2: downloading from GUI 
Go to the terminal and give the following command as 
shown in Figure 5. 


wget http://nmap.org/dist/nmap-6.00.tar.bz2 + 


After the download finishes, you can see the file named: 
nmap—6.00.tarsb2Z. 

Now you have to unzip this file by giving the command 
in Figure 6. 

Command is DZip2 =cd. fmap-o.00.tar.bzZ. || 
And then you have to run these commands ./configure, 
make, make install as a root. 


tar xvi 


Basic Scanning Technique 
In the basic technique, we use Nmap without any switch. 
In this section we can see the flexibility of Nmap because 
it supports classless Inter-Domain Routing (CIDR) nota- 
tion, octet ranges, DNS names, IPv6 addresses. So how 
can we scan multiple IPs? 

Nmap gives the result in three titles. The first is PORT; 
it displays the port number or protocol. The second is 
STATE. There are six states that Nmap can result in: 


¢ Open — Open State that means the application listen- 
ing is active for TCP & UDP connection. 

¢ Close — Close State means the application is not lis- 
tening but they are accessible. 

¢ Filtered — Filtered Filtered State means the port Re- 
sponding is blocked by a packet filter; because of that 
it’s hard to identify if the port is Open or not. 

¢ Unfiltered — it’s hard to determine for Nmap port if it is 
open or closed but they are accessible. 


") ppednnie pider-devktop: - Down Loads 


Figure 5. Downloading from the shell mode 


spider@spider-desktop: ~/Downloads 


Spider@spider-desktop:~/DownloadsS brip? -cd nmap-6.60.tar.bz2 | tar xvf = 


Figure 6. Unzip nmap 
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¢ Open — Filtered — this is the mutual state where you 
don't know if the port is open or not. You have to scan 
with techniques like Null, Fin, Xmas. 

¢ Close — Filtered — Even in this state Nmap is not 
able to identify if the port is open or Closed. For in- 
formation you have to scan the IP. ID idle scan only 
is the way to know more 


This is the status of the port — Open or Closed. The 
third is SERVICE — which type of service is running on 
the port. In the last Nmap is shown a MAC address of 
the scanned system; how many hosts are up; how many 
times Nmap is consumed during scanning--most of this 
result shows in seconds. 


Scanning a Single IP/Host/Domain 
See Figure 7 & 8. Example: 


#nmap <Live Domain/hostname/IP/Range of IP/Subnet> 


#nmap 10.0.0.1 

#nmap 10.0.0.1,2,3,4,5 

#nmap 10.0.0.1-5 

#nmap 10.0.0.0/8 

qomep: L020e0el 10s0.052 20s020.8 10.0206" 1040.025 


#nmap spider 


#nmap spidernet.co.in 


© i sm 


root@spider-desktop:/# nmap 160.60.6.5 


root@spider-desktop: / 


Starting Nmap 6.00 ( http://nmap.org ) at 2012-08-02 13:60 IST 
Nmap scan report for 10.0.0.5 

Host is up (0.000225 Latency). 

INot shown: 996 filtered ports 

PORT STATE SERVICE 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds 

7869/tcp open icslap 

3389/tcp open ms-wbt-server 

IMAC Address: 66:E6:1C:3B:65:B3 (Cradlepoint) 


Nmap done: 1 IP address (1 host up) scanned in 4.79 seconds 


Figure 7. Scanning single IP 
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Figure 8. Scanning domain 
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By default, Nmap scans the 1000 most commonly used 
TCP/IP ports. If you can compare the result then you can 


©®©® root@spider-desktop: / 
root@spider-desktop: /# nmap 10.0.0.7 16.6.0.3 10.0.0.4 10.0.0.5 


Starting Nmap 6.00 ( http://nmap.org ) at 2912-08-02 13:92 IST 
Nmap scan report for 16.6.6.2 
Host is up (6.00?4s Latency). 
Not shown: 996 filtered ports 
STATE SERVICE 
open msrpe 
open netbios-ssn 
open microsoft-ds 
I5357/tcp open wsdapi 


IMAC Address: ©0:26:C6:15:23:FA (Intel Corporate) 
Nmap scan report for 10.0.6.3 

Host is up (6.000014s Latency). 

lALL 1909 scanned ports on 10.0.6.3 are closed 


998 filtered ports 
IPORT STATE SERVICE 
22/tcp open ssh 
|631/tcp closed ipp 
MAC Address: 60:E£0:40:40:127:D9 (Realtek Semiconductor) 


Nmap Scan report for 19.0.6.5 

Host is up (9.000185 Latency). 

Not shown: 996 filtered ports 

IPFORT STATE SERVICE 

139/tcp open netblos-ssn 

|445/tcp open microsoft-ds 

2869/tcp open icslap 

3389/tcp open ms-wbt-server 

MAC Address: ©0:E£6:1C:3B8:65:B3 (Cradlepoint) 


Nmap done: 4 IP addresses (4 hosts up) scanned in 12.15 seconds 


Figure 9. Multiple IP addresses 


©@©® root@spider-desktop: / 
root@spider-desktop:/# nmap 10.9.0.2-5 


Starting Nmap 6.00 ( http://nmap.org ) at 2012-08-07 13:04 IST 
Nmap scan report for 16.6.6.2 
Host is up (8.86355 Latency). 
Not shown: 996 filtered ports 
| STATE SERVICE 
open msrpc 
open nethios-ssn 
apen = microsott-de 
open wsdapi 
MAC Address: 06:26:C6:15:23:FA (Intel Corporate) 


Nmap scan report for 10.0.0.3 
Host is up (8.986014s Latency). 
ALL 1666 scanned ports on 16.6.6.3 are closed 


Nmap scan report for 10.0.0.4 
Host is up (0.00015s latency). 
Not shown: 998 filtered ports 
STATE SERVICE 
open ssh 
631/tcp closed ipp 
MAC Address: 00:£0:4C:40:12:D9 (Realtek Semiconductor) 


Nmap scan report for 10.0.0.5 
Host is up (6.060019s Latency). 
Not shown: 996 filtered ports 
STATE SERVICE 
netbios-ssn 
microsoft-ds 
icslap 
ms-wht-server 
MAC Address: 00:E£0:1C:36:65:B3 (Cradlepoint) 


Nmap done: 4 IP addresses (4 hosts up) scanned in 11.82 seconds 


Figure 10. Range of IP address 
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see that in Figure 7 when we scan the system it shows a 
MAC address of the LAN Card. In Figure 8, you can see 
there are so many ports Opened and Closed but it could 
not be shown as a MAC address here. Next, we will scan 
Multiple IPs with the use of different shorthand notation. 


Multiple IP Scanning 

You can scan multiple IPs in different ways. The first is by 
providing full IP addresses as seen in Figure 9. You can 
also provide the range of IP addresses (see Figure 10), 
or by giving comma of every IP address (see Figure 11). 
The result is shown in the figures. 


root@spider-desktop:/# nmap 16.6.0.2,4,5 


Starting Nmap 6.00 ( http://nmap.org ) at 2012-08-02 13:03 IST 
Nmap scan report for 10.0.6.2 
Host is up (0.002775 Latency). 
Not shown: 996 filtered ports 
STATE SERVICE 
open Mmsrpc 
open nethios-ssn 
open microsoft-ds 
open wsdapi 
MAC Address: 66:26:(06:15:23:FA (Intel Corporate) 


Nmap scan report for 10.6.6.4 

Host is up (@.00014s Latency). 

Not shown: 998 filtered ports 

PORT STATE SERVICE 

2z2/tcp open ssh 

631/tcp closed ipp 

MAC Address: 00:E£0:4C:4D:12:D9 (Realtek Semiconductor) 


Nmap scan report for 10.06.60.5 
Host is up (0.00018s Latency). 
: 996 filtered ports 
STATE SERVICE 
open nethios-ssn 
open microsoft-ds 
open ticslap 
open ms-wbt-server 
MAC Address: 660:E6:1C:38:65:B3 (Cradlepoint) 


Nmap done: 3 IP addresses (3 hosts up) scanned in 9.23 seconds 


Figure 11. Scanning by specific multiple IP 
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Figure 12. Firewall isnot on 


www.bsdmag.org 


Nmap: How to Use It 


Host Discovery Scanning Technique / Ping 
Scanning Technique 

Host Discovery OR Ping Scanning Technique is very use- 
ful. When we ping any host, we get information about 
whether the host system is live or not. In large organiza- 
tions many administrators have blocked ICMP ping, so it’s 
difficult to know if the system is live or not. Let’s see an ex- 
ample. This is the 2003 Enterprise server. In this server if 
we do not start the firewall (you can see in Figure 12) then 
you get the pinging. So it’s easy for us to find out whether 
the system is live or not. You can see the response of ping 


H:\nmap-6.61>ping 192.168 .1.168 
Pinging 192.168.1.168 with 32 bytes of data: 


Reply from 192.168.1.168: 
Reply from 192.168.1.168: 


hbytes=32 time=-ims TTL=128 
hbytes=32 time=2ms TIL=128 
Reply from 192.168.1.168: bytes=32 time=ims TTL=128 
Reply from 192.168.1.168: bytes=32 time=ims TTL=128 


Ping statistics for 192.168 .1.188: 
Packets: Sent 4. Received 4. Lost = 
Approximate round trip Ermes in iiTij—secand 
Minimum ims, Maximum ems, Average 


Figure 13. Getting the response 
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H:\nmap-6 .41i>ping 192.168.1.108 
192 .168.1.186 with 32 bytes of data: 


timed out. 
timed out. 
timed out. 
timed out. 


Ping statistics for 192.168.1.168: 


Packets: Sent = 4, Received = @, Lost = 4 (188 loss>, 


Figure 15. Not getting reply 
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replay in Figure 13. But if we activate the firewall then af- 
terwards if we ping the system, it’s very hard to find out 
whether the host is live or not. As per Figure 14, you can 
see if we activate the firewall after that we are unable to 
ping the system as we do not get any response of ICMP 
echo request see Figure 15. 


Ping Scan 

In this condition, it's hard to know if the host is up or not 
here. Nmap Is performing an important role. If you want to 
ping only and know that the system is live, then use -sP 
command. Also refer to Figure 16. 


Syntax 
# nmap -SP <IP / Hostname > #nmap -sP 192.168.1.100 


This option is also termed a Ping sweep. This is the 
most useful option for administrators if they want to 
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check the network they use with CIDR also. This com- 
mand is valuable because it’s not going to do further 
query like Port Scanning, Service, OS detection, etc. 
It’s also easy to use. 


Host List Scanning 
Syntax 


# nmap -sL <IP / Hostname / Domainname > #nmap 


-sL www.spidernet.co.in 


In every Nmap’s switch commands are easy to remem- 
ber because of the short form (like -sL, which means 
scan List or List Scan). When you give the command -s1 
then you tell nmap to scan the reverse DNS lookup to 
the host / IP range / or from specific domain in the above 
Figure 17. You can see the spidernet.co.in in all lists of 
the NS Server. Really important information is revealed 
after the option -st. You can find the purpose the IP ad- 
dress is used for and the location of the IP. When the 
command is executed nmap -s. that means it’s not to 
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send any packet to the target system. It works like a thief 
— it steals the information without an alert on the host 
IDS system and simply prints it. 


Scanning Without Ping 

When you ping the target host, our machine sends thou- 
sands of packets and also receives the thousands of 
packets (see Figure 18) to the system. This internal pro- 
cess is time consuming. This option is useful, for example, 
if the administrator knows the system is up in his list then 
there is no point to ping. If he uses the -PN option then he 
will get all of the ports’ information and he will save time. 
This is also shown in Figure 19. 


Syntax 


# nmap -PN <IP / Hostname / Domainname > #nmap -PN www. 


Spidernet.co.in 


TCP SYN Ping 

This ping is based on a particular port based ping. The op- 
tion of -ps is used with any port. It is referred to as a TCP 
Syn ping because the SYN Flag is going to tell the target 
system that the connection establishment is in process. 
If the port is closed then the packet is sent back, but if the 
port is open, then it will proceed further. The Target sys- 
tem will send the ACK packet back to us, SYN will probe 
to the port 80, and a reply will be received from that port. 
You can see in Figure 20 that the 2003 server ICMP is 
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Figure 22. Result of -PS 
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blocked. In this situation, if we try to identify whether the 
machine is up or not and we ping the target Machine, then 
we get “Request time out” (see Figure 15). In this case 
if the ICMP is blocked but the WEB Server is running on 
PORT 80 and the site is up (see Figure 21), then our work 
will be easy. We send to Nmap the option -PS80 and we'll 
know whether the target host is available or not. 


Syntax 


# nmap -PS <Any Port> <IP / Hostname / Domainname > #nmap 
=Poou L922 160 el.100 


Here we also use -sp for ping scan. Nmap gives so much 
flexibility in the use of different options simultaneously. 


TCP ACK Ping 

Similarly, TCP ACK Ping is also available in Nmap op- 
tions. ACK ping is the same but there is a small difference 
between that and SYN ping. 


Syntax 


# nmap -PA <Any Port> <IP / Hostname / Domainname > #nmap 
=PAOU LOZ Ge4 le 00 


Nmap has these two options because there is a chance 
to bypass the firewall. If SYN ping does not work and ad- 
min blocks that, then ACK is useful in this case. 
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UDP Ping 

UDP is a discovery option that sends the empty packet to 
the target host and admin only filters the TCP packet in 
the firewall. If it’s poorly configured then you will get the 
response that it will allow you to get the information from 
the host. UDP ping uses the default probe port 31.338. 
You can also change this option in Nmap. 


Syntax 


# nmap -PU<Any Port> <IP / Hostname / Domainname > #nmap 
=PU 192.168.1100 


Three different ICMP Ping Scans 

There are three different ICMP ping scans available in 
Nmap: 1) ICMP echo ping with option -PE; 2) ICMP Time- 
stamp Ping with -PP; 3) ICMP Address Mask Ping -PM 


1) ICMP echo ping -PE option is best in LAN and Inter- 
net by default. If you are not given any ping option, 
then -PE is applied. 

2) ICMP Timestamp ping uses ICMP code 14. Some im- 
properly configured systems may still reply to the IC- 
MP timestamp. 

3) ICMP address Mask ping uses ICMP code 18. 
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ICMP Echo Ping Syntax 


# nmap -PE <IP / Hostname / Domainname > 


#nmap -PE 192.168.1.100 
ICMP Timestamp Syntax 


# nmap -PP <IP / Hostname / Domainname > 


#nmap -PP 192.168.1.100 


ICMP Address mask Syntax 


# nmap -PM <IP / Hostname / Domainname > 


#nmap -PM 192.168.1.100 


IP Protocol Ping 

Here you can see the tremendous flexibility of Nmap; -PO 
option is used for IP protocol scanning (for instance if you 
want to scan ICMP, IGMP, or other). The default is IC- 
MP-1, IGMP-2 and IP in IP-4. (see Figure 23). 


Syntax 


# nmap -PO1,2,4 <IP / Hostname / Domainname > 
#nmap -PO 192.168.1.100 


Other Important option for Host Discovery 
technique 

Nmap is really in-depth so it’s not possible to see all the op- 
tions in practice. Here, I'll show you some important Nmap 
switches. All of these options are used for host discovery 
techniques — you can use them as per your requirements: 


--packet-trace 

In Figure 18: Packet Tracing, you can find out how many 
packets are sent by nmap and received; you can even find 
the information about sequence number, Time to Live val- 
ues, and TCP flag information. 


TIN URGES with Port 617A 


RST Reply 
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Figure 27. Xmas scan 
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--data-length <length> 

If the Intrusion Detection System detects your scan, then you 
can also use this option because from --data-length switch 
you can control the length of bytes of data to every packet. 
This option also works with connectionless and connection- 
oriented protocols like TCP, UDP and ICMP also. 


-n 
-n option is used for disabling all DNS resolutions 


-R 
-R option enables all DNS Queries against the host. If the 
target host is down then it does not matter. 


--dns-servers <dns server1> {, <server2>[,... ]} 

dns server’ — this is used for reverse query. This switch 
will directly go to the registry if the system is a Windows 
server, and if it’s a Linux system, then it will try to read 
the resolve.conf file to obtain some important information 
about the dns server. 


Advanced Scanning Techniques 

TCP Connect Scan -sT 

TCP Connect scan is an advanced scanning technique. 
First, it will request the target host for the connection 
sending by the SYN packet on any port like port 22, then, 
if the port is open, the host sends back an acknowledg- 
ment that it is open. 

Again the system is going to connect with the target sys- 
tem, once the connection is finished then nmap -st will 
start scanning the system. When all processes are done, 
the connection will be closed. In this technique there is also 


He \nmap-A Ai Soman -sPF 192.1hR.1 1A 
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Nmap done: 1 IP address (1 host up? scanned in 3.25 seconds 


Figure 29. FIN scan Result 
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a drawback included. If the target system has an IDS, then 
it will catch you and generate a log after scanning, allowing 
the admin to easily see which IP scanned his system. 

You can see the below Figure 24 to understand how the 
connection is established and closed. This is the disad- 
vantage that they developed the TCP SYN / Stealth Scan 
-ss for. It’s opposite the -st option. You can see the result 
of -st in Figure 25. 


Syntax 


# nmap -sT <IP / Hostname / Domainname > #nmap -sT 


1922168 oh. TOU 


TCP SYN Scan -sS 

This type of scan needs a root privilege for the scanning. 
It's also called a stealthy scan because it does not need 
a full-fledged connection to the remote host. By default, 
i's a scan that is most common. Thousands of used TCP 
ports per second do not give any opportunity attention to 
the firewall. 


Syntax 


# nmap -sS <IP / Hostname / Domainname > #nmap -sS 


eS eee c's rel Pea 66 
UDP Scan -sU 


User Datagram Protocol (UDP) Services are scanned and 
enabled by the -su switch. It is slower if we compare it with 
the TCP scan but it’s more important because it’s more 
complex than TCP. Many admins ignore this port because 
of its greater difficulty than TCP; it’s a big mistake because 
some attackers are used to scanning this port which you 
can see below in Figure 26. Once we scan the 2003 serv- 
er, we can see that ports 53, 123, and others are open. 


Syntax 


# nmap -SU <IP / Hostname / Domainname > #nmap -sU 


192.16821.100 


UDP sends an empty header to every port. UDP shows 
four states: Open, Open|filtered, Closed, and Filtered. 
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All are different. Open means any UDP is respond- 
ing from host. Open|filtered means you can't get any re- 
sponse, even retransmission. Closed means the ICMP 
echo request is unreachable. Filtered means the ICMP is 
unreachable with different code and type. By default, the 
UDP scan is slow but if you want to speed the UDP scan 
then you have to put in a different option with -su. You 
can also control the slow host by putting -nost-timeout 
option, -v option for the enabled verbosity mode, etc. 


TCP Xmas, Null, and Fin Scans with --scanflags 

Before we understand Xmas, Null and Fin Scan, we need 
to know what happens when a connection is established 
with SYN, FIN, ACK, URG, PUSH and RESET flag. SYN 
and Fin Flags are used for connection establishment and 
close the TCP Connection. ACK flag is set so that the ac- 
knowledgment field is valid, and gets the attention from 
the target system. The URG flag narrates the Segment 
containing urgent data, while the PUSH flag terms as a 
sender invoke the push operation, which indicates to the 
receiving side of TCP that it should notify the receiving 
process of this fact. Finally, the RESET flag is denoted, 
as the receiver has become confused and wants to abort 
the connection. Now, let’s see what the Xmas Scan can 
do. This scan is turned On or Off by sending bytes much 
like the Christmas tree. A closed port is a response to an 
Xmas tree scan with RST as you can see in Figure 27. 


Syntax 


# nmap -SsX <IP / Hostname / Domainname > #nmap -sX 


192 2l6621.100 


TCP Fin Scan 

In this scan, TCP Fin bit is active when packets are sent in an 
attempt to solicita TCP ACK from the destination target host. 
This is another choice for Scanning and gathering informa- 
tion from the Target system which is protected by Firewall. 


Syntax 


# nmap -SF <IP / Hostname / Domainname > #nmap -SF 


192s 26 O23 000 
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TCP Null Scan 

TCP Null scanning is fast compared to other Port scan- 
ning options. From this scan, the TCP flags are enabled 
and you can find that the packet header is 0. If the Port is 
closed on the target machine then the Null scan will not 
send flags in the packet header. Its reply will be by the 
RST Packets. This type of scanning has a major advan- 
tage of scanning through stateless firewalls or ACL filters. 


Syntax 


# nmap -sN <IP / Hostname / Domainname> #nmap -sN 


Toe Ga Le LOD 


You can find similarity in all Figures of the TCP scan 
FIN, Null and Xmas observed in Figures 28, 29, 30 as 
you see that the result is the same. You can customize 
these three scans with the -scanflags. This option pro- 
vides a lot of flexibility in scanning. 


Syntax 


# nmap --scanflags FINACKURGPSH <IP / Hostname / 
Domainname> #nmap --scanflags FINACKURGPSH 192.168.1.100 


TCP ACK Scan 

First we have to understand the result that the ACK scan 
gives. Unfiltered -(TCP RST response) means special 
rules apply on the target's firewall. Filtered -(ICMP un- 
reachable error OR No response) means the system is 
protected by the firewall. You can see in Figure 32 that 
“All 1000 scanned ports on 192.168.1.100 are unfiltered.” 


Syntax 
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Figure 34. --O Scan Result 
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Other Important options for Advanced 
Scanning techniques 

In advanced scanning there are so many options that are 
available but we will not cover them all. 


--send-eth 

This option tells Nmap to bypass the IP layer on your sys- 
tem and send raw Ethernet packets on the data link layer. 
It's a rarely used option. 


Syntax 


# nmap -send-eth <IP / Hostname / Domainname> #nmap -send- 


eth 192.168.1.100 


-sO 

This option is used for Scanning Protocol. From this scan 
you know which protocol is running on the target host. The 
most common protocol is TCP, UDP and ICMP. You can 
see Figure 33 while the 2003 server is scanning. 


send-ip 

These options forcefully tell Nmap to scan using the lo- 
cal system's IP stack instead of generating raw Ethernet 
packets. It is used in rare cases. 
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Nmap: How to Use it 


Name Based Port Scanning 

Multiple use of -p 

-p option has multiple uses because you can scan based 
on the service name like smtp, pop2 etc, and you can al- 
so scan on the port number like 53, 25 etc. This is the 
most flexible option ever because if you want to scan with 
the UDP or TCP port, then you have to simply define the 
U:[Port number] or T:[Port number]. You can also use the 
wildcard with -p “*”. This tells Nmap to scan all ports. 


Syntax 

# nmap -p [port number with comma or range] <IP / Hostname 
/ Domainname> 

Fitap. =p 25,80;53-200. 192.16841.4100 

# nmap -p [name] <IP / Hostname / Domainname> 

#nmap -p smtp,http 192.168.1.100 


# nmap -p U: [port number] T: [port number] <IP 


/ Hostname / Domainname> #nmap -p U:53,T:25 192.168.1.100 


# nmap -p “*” <IP / Hostname / Domainname> #nmap -p “*” 


192.166. L200 


OS & Service Scanning 

Operating System Detection 

For OS detection mostly one port is open or one port is 
closed. -o option is used for knowing which operating 
system is running on the target system. You can see in 
Figure 34. This is the Windows 2003 server and in Figure 
35 Ubuntu is installed. 
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Syntax 


# nmap -O <IP / Hostname / Domainname> #nmap -O 


192 216621.100 


Service Detection 

Service Detection option is used as the -sV option. From 
this option you can find which service is running on the 
target host. 


Syntax 


# nmap -sV <IP / Hostname / Domainname> #nmap -sV 


192. 16051.100 


Guess Unknown OS 
This scan shows you the possible matches for the target OS 
system. For this scan, you can use -osscan-guess option. 


Syntax 


# nmap -osscan-guess <IP / Hostname / Domainname> 


#nmap -osscan-guess 192.168.1.100 


Firewall Evasion Technique 

Spoof MAC address 

In this example, you can see that Nmap generates a fake 
MAC address used for scanning. There are three options 
for spoofing MAC addresses. The first one is to give 0; 
-nmap will then generate random MAC addresses of any 
company like 3com or other. You can even specify the 
MAC Address, and you can give the Vendor name also. 
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Syntax 


# nmap -spoof-mac [vendor | MAC | 0] <IP 


/ Hostname / Domainname> #nmap -spoof-mac 0 192.168.1.100 


Decoy Use 

Decoy option gives the best performance during scanning 
because it generates additional packets and creates a vir- 
tualization that the system is scanned by multiple systems. 
From this option, it is hard to trace which system is scan- 
ning OR where the scanning is coming from. You can spec- 
ify the decoys like decoys1, decoys2, etc., see Figure 38. 


Syntax 


# nmap -D RND:Number of Decoy <IP / Hostname 
/ Domainname> #nmap -D RND:10 192.168.1.100 


Nmap Scripting Engine 

“nmap --script smb-os-discovery 192.168.1.100* + smb- 
os-discovery gives you the result (which OS is running on 
the target system). 


Syntax 


# nmap --Sscript smb-os-discovery <IP / Hostname 
/ Domainname> #nmap --script smb-os-discovery 


192 -166=1<2100" 


Figure 39: -smb-os-discovery 2) *nmap --script smb-sys- 
tem-info 192.168.1.100* --script smb-system-info is giv- 
ing the information about the system. 


Syntax 


# nmap --script smb-system-info <IP / Hostname 
/ Domainname> # nmap --script smb-system-info 
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Nmap: How to Use it 


Nmap is very complex. There is also a time based 
scanning technique that is available and an Nmap 
Scripting Engine which is a very useful option in Nmap. 
Using this option, you can find all the information on us- 
ers, shares, etc. NSE scripts define a list of categories 
they belong to. Currently defined categories are auth, 
broadcast, default, discovery, dos, exploit, external, 


fuzzer, intrusive, malware, safe, version, and vuln. Cat- 
egory names are not case-sensitive, NSE scripts con- 
sist of a handful of descriptive fields, a rule defining 
when the script should be executed, and an action 
function containing the actual script instructions. Values 
can be assigned to the descriptive fields just as you 
would assign any other Lua variables. 
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How to Use The Mac OS 


X Hackers Toolbox 


When you think of an operating system to run pen testing 
tools on, you probably think of Linux and more specifically, 
BackTrack Linux. BackTrack Linux is a great option and one 
of the most common platforms for running pen testing 
tools. If you are a Mac user, then you would most likely run a 


virtual machine of BackTrack Linux. 


hile this is a great option, sometimes it is nice 
VV to have your tools running on the native oper- 

ating system of your computer. Another ben- 
efit is not having to share your system resources with a 
virtual machine. This also eliminates the need to trans- 
fer files between your operating system and a virtual 
machine, and the hassles of having to deal with a vir- 
tual machine. Also by running the tools within OS X, 
you will be able to seamlessly access all of your Mac 
OS X applications. 

My attack laptop happens to be a MacBook Pro and 
| started out running VirtualBox with a BackTrack Linux 
virtual machine. | recently started installing my hacking 
tools on my MacBook Pro. | wanted to expand the tool- 
set of my Mac, so | started with Nessus, nmap, SQLMap, 
and then | installed Metasploit. My goal is to get most, if 
not all, of the tools | use installed on my MacBook Pro 
and run them natively within OS X. Since Mac OS X is 
a UNIX based operating system, you get great tools that 
come natively with UNIX operating systems such as net- 
cat and SSH. You also have powerful scripting languag- 
es installed such as Perl and Python. With all of the ben- 
efits and features of the Mac OS X, there is no reason 
to not use Mac OS X for your pen testing platform. | was 
really surprised to see that there’s not a lot of information 
on the subject of using Mac OS X as a pen testing/hack- 
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ing platform. Metasploit was the toughest application to 
get running on Mac OS X and that was mosily due to 
the PostgreSQL database setup. The majority of hack- 
ing tools are command line based, so they are easy and 
fairly straightforward to install. 

In this article, | am going to take you through the instal- 
lation and configuration of some of the most popular and 
useful hacking tools, such as Metasploit, on Mac OS X. 
lf you are interested in maximizing the use of your Mac 
for pen testing and running your tools natively, then you 
should find this article helpful. 


The Tools 

The pen test tools we will be installing are must-haves and 
all of them are free, with the exception of Burp Suite and 
Nessus (although Burp Suite has a free version, which of- 
fers a portion of the Burp Suite tools for free). The tools of- 
fered for free with Burp Suite are useful tools and | highly 
recommend them. The professional version of Burp Suite 
is reasonably priced. 


¢ Metasploit Framework 


¢ Nmap 

¢ SQLmap 

¢ Burp Suite 
e Nessus 
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¢ SSLScan 

¢ Wireshark 
¢ TCPDUMP 
¢ Netcat 


Metasploit Framework 

The Metasploit Framework is one of the most popu- 
lar and powerful exploit tools for pen testers and a must 
have for pen testers. The Metasploit Framework simpli- 
fies the exploitation process and allows you to manage 
your pen tests with the workspace function in Metasploit. 
Metasploit also allows you to run nmap within Metasploit 
and the scan information is organized by project with the 
workspace function. You can create your own exploits and 
modify existing exploits in Metasploit. Metasploit has too 
many features to mention in this article, and the scope of 
this article is to demonstrate how to install Metasploit and 
other pen testing tools. 


The Install 

Before we install Metasploit, we need to install some 
software dependencies. It is a little more work to install 
Metasploit on Mac OS X, but it will be worth it. Listed be- 
low are the prerequisite software packages. 


Software Prerequisites 


¢ MacPorts 

¢ Ruby1.9.3 

¢ Homebrew 

¢« PostgreSQL 


MacPorts Installation 
Install Xcode 


¢ Xcode Install from the Apple App Store, or it can be 
downloaded from the following URL; https://develop- 
er.apple.com/xcode/ 

¢ Once Xcode is installed, go into the Xcode preferences 
and install the “Command Line Tools”. (See Figure 1) 


Install the MacPorts app 


¢ Download and install the package file (.dmg) file from 
the MacPorts web site; httos:/distfiles.macports.org/ 
MacPorts/ 
Once the files are downloaded, install MacPorts. 
More information on MacPorts can be found here: 
http://www.macports.org/install.php 

¢ Run MacPorts selfupdate to make sure it is using the 
latest version. 
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From a terminal window run the following command: 
S$ sudo port selfupdate 


Ruby 1.9.3 
Mac OS X is preinstalled with Ruby, but we want to up- 
grade to Ruby 1.9.3 


¢ We will be using MacPorts to upgrade Ruby. 
From a terminal window run the following command: 


» Sudo port install rubylo -nosuriix 

¢ The default Ruby install path for MacPorts is: /opt/local/ 
It’s a good idea to verify that the PATH is correct, 
so that opt/local/bin is listed before /usr/bin. You 


should get back something that looks like this: 


/Opt/ localybin:/opt/ local/ébin:/usr/bin:/ bint, usr, 


sbin:/sbin 


You can verify the path by entering the following syn- 
tax in a terminal window: 


S$ echo SPATH 

To verify the Ruby install locations, enter this syntax: 
$ which ruby gem 

You should get back the following response: 


/opt/local/bin/ruby 
/opt/local/bin/gem 
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Figure 1. /nstall “Command Line Tools” 
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Database Installation 

A database is not required to run, but some of the fea- 
tures of Metasploit require that you install a database. 
The workspace feature of Metasploit is one of the re- 
ally nice features of Metasploit that requires a da- 
tabase. Workspace allows easy project organiza- 
tion by offering separate workspaces for each project. 
PostgreSQL is the vendor recommended and supported 
database, but MySQL can be used. In this article, we will 
be using PostgreSQL. 

We will use Homebrew to install PostgreSQL. | tried a 
few different installation methods, but this is the easiest 
way to install PostgreSQL. Homebrew is a good method 
to install Open Source software packages. 


¢ First we will install Homebrew. 
From a terminal window run the following command: 


S ruby -e “S(curl -fsSkL raw.github.com/mxcl/homebrew/go) ” 


¢ Next we will install PostgreSQL using Homebrew. 
From a terminal window run the following command: 


S brew install postgresql 
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Figure 2. This is one of the many Metasploit screens you will see when 
launching Metasploit 
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¢ Next we initialize the database, configure the startup, 
and start PostgreSQL. From a terminal window run 
the following command: 


initdb /usr/local/var/postgres cp /usr/ 
local/Cellar/postgresgql/9.1.4/homebrew.mxcl. 
postgresgl.plist ~/Library/LaunchAgents/ 
launchctl load -w ~/Library/LaunchAgents/ 
homebrew.mxcl.postgresql.plist pg ctl -D / 
usr/local/var/postgres -l1 /usr/local/var/ 


postgres/server.log start 


¢ Database configuration 

In this step we will create our Metasploit database 

and the database user. 

e The Homebrew install does not create the post- 
gres user, SO we need to create the postgres user 
to create databases and database users. 

At a command prompt, type the following: 


Crealsuser postgres user =F 
Enter password for new role: password 
Enter it again: password 
Shall the new role be a superuser? (y/n) y 


Shall the new role be allowed to create databases? (y/n) y 


> A? 40 +40 4A 40 


Shall the new role be allowed to create more new roles? 


(y/n) y 


¢ Creating the database user 
At a command prompt, type the following: 


Clreateiser mei User <2 

Enter password for new role: password 
Enter it again: password 

Shall the new role be a superuser? (y/n) n 


Shall the new role be allowed to create databases? (y/n) n 


40> UF “<> +> +> “U2 


Shall the new role be allowed to create more new roles? 


(y/n) n 


¢ Creating the database 
At a command prompt, type the following: 


S$ createdb --owner=msf user msf database 


¢ Install the pg gem. 
At a command prompt, type the following: 


S gem install pg 


The database and database user are created, so now it 
is time to install Metasploit. 
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Metasploit software installation 
The dependencies have been installed and next we will 
install the Metasploit software. 


¢ Download the Metasploit source code for installa- 
tion using the link provided below and do not down- 
load the .run file from the Metasploit download page. 
Download the Metasploit tar file from: httop://down- 
loads.metasploit.com/data/releases/framework-lat- 
est.tar.bz2. 

¢ Once the download is complete, untar the file. If you 
have software installed to unzip or untar files, then it 
should untar the file when the file is finished down- 
loading. | use Stufflt Expander and it untarred the 
file for me upon completion of the download. If you 
need to manually untar the file, type this command 
at the command line and it will untar the file into the 
desired directory: 


S$ sudo tar -xvf framework-lastest-tar.bz2 -C /opt 
If the file was untarred for you as mentioned, you will 
need to move the Metasploit source file structure to 


the opt directory. Your directory structure should look 
like this: 


/opt/metasploit3/msf3 


Starting Metasploit 

Now that Metasploit is installed, we will start Metasploit for 
the first time. You will need to navigate to the Metasploit 
directory and start Metasploit. 


¢ Navigate to the Metasploit directory with the following 
syntax entered at the command line: 


S$ cd /opt/metasploit/msf3 
¢ To start Metasploit, simply enter the following syntax: 
S$ sudo ./msfconsole 


You will get one of the many Metasploit screens like 
the one in Figure 2. 


Connecting to the database 

In this next step, we will connect Metasploit to our Post- 
greSQL database. From the Metasploit prompt, type the 
following syntax: 


msf > db connect msf_user:password@127.0.0.1/msf database 


You will see the following message and you should 
be connected. 


Database Backend Commands 


creds List all credentials in the database 


dbsecnneet Connect to an existing database 


dbwdisconnect 


Listing 1. Database Backend Commands as displayed in the Metasploit console 


Disconnect from the current database instance 


db export Export a file containing the contents of the database 
dbo import Import a scan result file (filetype will be auto-detected) 
db nmap Executes nmap and records the output automatically 
coy rebu Pic Mecdehe wy rebuilds siiercababdse = rored mode eadehe 

doy starus SHOW Ene cu bent  deicadbdse stants 

H@sies List all hosts in the database 

loot List all loot in the database 

notes List all notes in the database 

services List all services in the database 

vulns List all vulnerabilities in the database 

workspace Switch between database workspaces 
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[*] Rebuilding the module cache in the background... 
Type in the following syntax to verify the database is connected: 
mst > db status 


You will get the following back verifying the database 
is connected: 


[*] postgresql connected to msi database 


The database is now connected to Metasploit, but once 
you exit Metasploit the database will be disconnected. To 
configure Metasploit to automatically connect on startup, 
we will have to create the msfconsole.rc file. 

Enter the following syntax at the command prompt: 


$ cat > ~/.msf3/msfconsole.rc << EOF db connect 
-y /opt/metasploit3/config/database. yml 
EOF 


Updating Metasploit 

Now that we have Metasploit installed and configured, we 
will update the Metasploit installation. From the command 
prompt, type the following syntax: 


S$ ./msfupdate 


This can take a while, so just sit back and let the update 
complete. Make sure to update Metasploit frequently so 
you have the latest exploits. 


The benefits of Metasploit with database 

Now that Metasploit is installed, the database is connected 
and ready to use. So what can you do with Metasploit with 
a database that you couldn't do without one? Below is a list 
of new Metasploit Database Backend Commands taken di- 
rectly from the Metasploit console. The commands are pretty 
much self-explanatory, but it should be noted that db_ import 
allows you to import nmap scans done outside of Metasploit. 
This comes in handy when you are working with others on a 
pen test and you want to centrally manage your pen test da- 
ta. AS mentioned earlier, workspace helps you manage your 
pen tests by allowing you to store them in separate areas of 
the database. A great reference guide for Metasploit can be 
found at Offensive Security's website: htto:/www.offensive- 
security.com/metasploit-unleashed/Main_Page. 


Nmap 


Nmap is an open source network discovery and security 
auditing tool. You can run nmap within Metasploit, but it 
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is good to have nmap installed so you can run nmap out- 
side of Metasploit. We will use Homebrew to install nmap. 
From the command prompt, type the following syntax: 


S brew install nmap 


Visit the Nmap website for the Nmap reference guide: 
http://nmap.org/book/man.html. 


SQLmap 

SQLmap is a penetration testing tool that detects SQL in- 
jection flaws and automates SQL injection. From the com- 
mand prompt, type the following syntax: 


S$ git clone https://github.com/sglmapproject/sqlmap.git 
sqlmap-dev 


Burp Suite 
Burp Suite is a set of web security testing tools, including 
Burp Proxy. To install Burp Suite, download it from: http:// 
www. portswigger.net/burp/download.html. 

To run Burp, type the following syntax from the com- 
mand prompt: 


$ java -jar -Xmx1024m burpsuite v1.4.01l.jar 


For more information on using Burp, go to the Burp Suite 
website: http://www. portswigger.net/burp/help/. 


Nessus 

Nessus is a commercial vulnerability scanner and it can 
be downloaded from the Tenable Network website: http:// 
www.tenable.com/products/nessus/nessus-download- 
agreement. 

Download the file Nessus-5.x.x.dmg.gz, and then dou- 
ble click on it to unzip it. Double click on the Nessus- 
5.x.x.dmg file, which will mount the disk image and make 
it appear under “Devices” in “Finder”. Once the volume 
“Nessus 5” appears in “Finder”, double click on the file 
Nessus 5. 

The Nessus installer is GUI based like other Mac OS 
X applications, so there are no special instructions to 
document. The Nessus 5.0 Installation and Configura- 
tion Guide as well as the Nessus 5.0 User Guide can be 
downloaded from the documentation section of the Ten- 
able Network website: http:/www.tenable.com/products/ 
nessus/documentation. 


SSLScan 
SSLScan queries SSL services, such as HTTPS, in order 
to determine the ciphers that are supported. 
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To install sslscan, type the following syntax at the com- 
mand prompt: 


S brew install sslscan 


Wireshark 

Wireshark is a packet analyzer and can be useful in pen 
tests. Wireshark DMG package can be downloaded from 
the Wireshark website: http:/~vww.wireshark.org/down- 
load.html. Once the file is downloaded, double click to in- 
stall Wireshark. 


TCPDUMP 

TCPDUMP is a command line packet analyzer that is pre- 
installed on Mac OS X. For more information consult the 
man page for tcpdump by typing the following syntax at 
the command prompt: 


S$ man tcpdump 


Netcat 

Netcat is a multipurpose network utility that is preinstalled 
on Mac OS X. Netcat can be used for port redirection, 
tunneling, and port scanning to name just a few of the ca- 
pabilities of Netcat. Netcat is used a lot for reverse shells. 
For more information on Netcat, type the following syntax 
at the command prompt: 


S man ne 


Conclusion 

By following the instructions in this article, you will have a 
fully functional set of hacking tools installed on your Mac 
and you will be able to run them natively without having to 
start a virtual machine or deal with the added administra- 
tive overhead that comes with running a virtual machine. 
You will also not have to share resources with a virtual 
machine. | hope you found this article useful and | hope 
you enjoy setting up your Mac OS X hacker toolbox as 
much as | did. With Macs increasing in popularity, | can 
only imagine that they will become more widely used in 
pen testing. 


PHILLIP WYLIE 


Phillip Wylie is a security consultant specializing 


_ in penetration testing, network vulnerability as- 
_ sessments and application vulnerability assess- 
, ments. Phillip has over 8 years of experience in in- 
formation security and 7 years of system admin- 
istration experience. 
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The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


@ WHERE CAN | GET CERTIFIED? 


We'’re pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@ WHERE CAN I GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 
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Techniques 


Basic Unix Queuing 


It occasionally happens that our incoming or outgoing data 
cannot be processed as it is generated or, for some reason, 
we choose to process it at a later time. 


typical example might be a client-server system, 
A ites it is necessary to queue the socket descrip- 

tors of incoming connections because of some lim- 
it on the number of active processes, or a message hub, 
which accepts data synchronously, but must rely on other 
processes to remove the data asynchronously. Apart from 
the numerous commercially-available third party imple- 
mentations of queuing systems, Unix has two highly ef- 
ficient queuing mechanisms, which can be used for ex- 
tremely low overhead systems of queues. 


Kernel mode queues 

The kernel uses queues internally for the implementa- 
tion of functions such as device drivers, and the system 
call interface to this mechanism is available for the im- 
plementation of application programs. The queues so 
produced are implemented in memory, so they are very 
fast. However, because there is no permanent storage 
of the data, these queues are also non-persistent. This 
means that if the process or the machine crashes, all of 
the queued data will be lost, and all incoming data will 
never be enqueued. 


User mode queues 

In this section, we will concentrate on disk-based user 
mode queues. The kernel mode queuing system, which 
will be covered in an upcoming Advanced Queuing Article, 
is a bit limited, and it is sometimes more convenient to use 
the user mode queue library functions which offer a little 
more functionality, namely: 
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¢ Notification of message arrival, by sending a signal to 
the monitoring process. 
¢ Prioritization of messages 


There are only four fundamental commands to remember: 


* mq _open() — Opens an existing queue, or creates a 
new queue 

* mq send() — enqueues a message 

* mq receive() — dequeues a message 

* mq notify() — notifies a process of the arrival of a 
message 


The remaining five commands perform housekeeping tasks: 
* mq_close() — closes a queue 

* mq unlink() — deletes a queue from the disk 

* mq getattr() — interrogates a queue's characteristics 


* mq setattr() — sets a queue’s Characteristics 


A single structure definition is used to set and get the 
queue’s attributes, and is defined as: 


Slruct. Me ace: 1 


long mq flags /* message queue flags */ 

long mq maxmsg /* maximum number of messages */ 
long mq msgsize /* maximum message size */ 

long mq curmsgs /* number of messages currently 
queued */ 
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The mq series of commands all relate to disk based 
queues. The queues themselves are created in the /tmp 
directory and are always referred to in the commands, 
as if they were situated below the root directory. 


Thus to create a queue called ‘zq’, we would call mq_ 


open (), like this: 


Int: qd; 


struct mq attr atr; 


atr.mq maxmsg = 100; 


alr mg msgsize = 255; 


if((qd = mq_open(“/zq”, O RDWR|O CREAT, 0755, &atr)) 
== (mgd. ty=1)4 


perror (“mq open”); 


Notice the similarity between the above syntax, and that 
of the open() Command, for a file. The returned value 
is the queue descriptor, while the flags are exactly the 
same, as defined in fcntl.h for those relating to a file. The 
pointer to the ‘atr’ structure permits the setting of the 
maximum number of messages, and the maximum mes- 
sage size, prior to calling mq_ open. 

Enqueuing a message is analogous to a write() ona file: 


char *msg = “xyz”; 


int priority =. 5; 


1fimg send (qd, msg, strlen (msg) » priority) == -1){ 


perror (“mq send”); 


The extra parameter, ‘priority’ determines the order that 
the message will be removed from the queue when it is 
dequeued, with ‘1° being the highest priority. 

The dequeuing is performed by mq receive (): 


unsigned char data[8192]; 
nie PELOCLLy? 
ia, 7 

Lf iia =mg receive(qd,; (Char *)data,; .sizeot (data), 
&priority)) > 0){ 

Printf (“Received %d byte message >%s< with %d 
priority\n”, n; data; priority) ; 


} 


Messages are taken off the queue in order of their prior- 
ity, which is returned by mq_ receive(), into the variable 
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passed to it. The return value of the function is the num- 
ber of bytes in the message. In normal operation, this 
function would be called in a ‘while’ loop and the queue 
length would be checked at each iteration of the loop. 
The checking is done with the mq_ getattr() function, 
called with the queue descriptor, and the atr structure, 
defined above: 


LE (mg Uetaler (ad, tatr), == 0) 
if(atr.mq_curmsgs == 0) { 
printf (“No more messages\n”) ; 


mq close (qd); 


The following code extract puts this all together: 
while(({rval = mq recelve(qd, (char *)data, 
Ssizeof(data), &priority)) > 0){ 
printf (“Client received: >%s< priority %d\n"”, 
data, DELOrLTy).; 
memset (data, ‘\0’, sizeof (data)); 
LE(mg-gGetartriqd, tatr) = 0)4 
if (atr.mg curmsgs == 0) { 
printf (“No more messages\n”) ; 
mq close (qd); 


break; 


We now have all the information we need to write a test 
program that exercises all of these queuing functions. In- 
stead of attempting to re-create MQ Series from scratch 
(which we will leave for the ‘Advanced Queues’ article), 
this program merely does the following: 


¢ Create a queue, whose descriptor is ‘qd’. 

e Launch a child process, chiid() which asks to be no- 
tified of the arrival of a message 

e Enqueue 4 messages, in ascending order of priority. 

¢ The child pulls the messages off the queue, in 
the order that they arrived, i.e, in order of priority. 
It then quits. 

¢ Launch another child process, client (), which merely 
performs a blocking read of the queue. 

¢ Enqueue 4 more messages, in descending order 
of priority 

¢ The child, again, pulls the messages off, in order of 
priority, which means the reverse of the order of their 
arrival. It does not quit. 
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Listing 1. Server and Client Code 
#include <mqueue.h> 
#include <sys/stream.h> 
#include <sys/ddi.h> 


Vol “rice rrp (ant )s 


SHEIEIE TE MMlCp VeNele 1g eNE Ie 7 


7 aneerrupe handler ~/ 


Perron ( mg send), 


} 


ce (Me Semel Gicl, Se 3. sie e beio, (Gilets), 6) = lly 


PeLrror( Maysena ); 


} 


Lie (ule; Semyelvocl, mse, seieis hein (msi) == 1) 


Peureor( mansencd or; 


} 


cha ms gi “Mary had a little lamb\n”; 

chan. msgz “She also had a duck\n”; 

Cia Meds “She put them on the mantelpiece\n”; 
char *msg4 WiOmSsees th chey would nally m@: 

Char “msds “Mary had a little lamb\n”; 

char “msq6 VE ieort salineancdest rolls wn: 

Chan “meg / Sins Velmcevy We sje aise elie alia al 7 
char msgs Vand eCaught LEuby es seal m= 

mqd_ t qd; 

main () /* main */ 


elivelia ren e/eh || ¥49)5) || 
Unsigned inl preorrey: 
ine ve le 

jolie jelly 


SHEIUUC CE MING) Te GIGI 2 <eNe dc 


ue (iter Steimel ocl, umSe dL. asters ein (imsvcll)) , 9s) == ll) | 


Scieoe | ite, Seinel)) 7 


sleep(1); /* give the child time to exit */ 

oid) —«claienn() >) /* blocking, bur no motiticatiom = 

/* these must arrive after the queue empties, or the 

Challe won’ = exit *7, 

cette, SeieleeCl, wees, sie heiniimeg es) 7 2) == lj 
oeiceoe ime) Beier) 

} 

ae (len Semel (Gel, mse, wie Loin (lsc), 8) == il) 
Perron ( Mersend! );, 

} 

cae (ile, Steinvel (jel ise 2 qeiere Leton (imetcy i 2) a 
PSEroOm( M¢esene ji; 

} 

TE imousend (qd; mseqe, sstelem(msge) 7) 1) —— 14 


Siecle (me) Semel”) 2 


Signhal(SIGURG, incerrupE); 


abr mq maxms¢g — 00; 


Cue Meisels 52m es sor 


Li ((qdy— mqropen (24/7) Ol RDWR © eREAL 0 155,))catr) ) 
sa (ilo ie) Ik) 4) 
perror (“mg open”); 


pid = child(qd); /* this asks to get notified 


/* give the child time to stabilise 


/* queue ordering iS by priority, noe time of 
aieia yells), 


ie (ile; Sisal eel, SG, sere heim (sey pS) Sl) 


} 7/* Main */ 


[RK KK KK KK IK IK KK KK KK IK IK KK IK I KK KK KK IK KK KK KK KK 


Simple blocking read loop, which checks the queue length 


at each 


pass, and exits when it’s empty. 


KA KK IK IK I KK IK KK IK I KK KK IK KK KK KK KK / 


Gules) feos cllaeiane 7) 


jl ie jeulely 
Cuore Clete! | 5.5) 2 
unsigned int priority; 


Pe evade 


switch((pid = fork())) { 


case —l-: 
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break; 
case 0: 
printf (“Client collecting messages from 
CUSUe ees a = 
P thas wile block euniailv the ans tamsc 
arrives */ 
tuidablke ( (Gewell = ic, eecenwve (eel, (chee * )clkeuwel, 
Slzeot (data), “preioriny)\ 2 O)4 
printf (“Client received: >%ss< priority 
cd\N date, prlor ity) 
memset (data, *\0’, sizeof(data)); 
Ie WING] Giereencies (Ciel, Gace ie) = 10!) | 
Te ener ino, Cubase, == 0) 
printf (“No more messages\n”) ; 
ine, ie lbereS erel) 3 
break; 
} 
} else { 
eiee@ie | ulepeleigencisie”) 2 


break; 


} 
Parner i Dene ma), 
inno, uate / ei") 
exit(0); 

brea; 

detaula: 
return (pid) ; 


break; 


} eS ellaane 7 7/ 


[RK KK KK KK KK I KK KK KK IK I KK KK IK I KK KK IK KK KK IK KK 


The child asks to be notified of the arrival of a 
message, by 

means of SIGURG, for which we’ve defined a handler. The 
chad 

then calls pause(), and waits for an interrupt. Inside 
the 

interrupt handler, it performs blocking reads on the 
queue, 

checking its length each time. When the queue is empty, 
alg 

Ketirne, ands calls ume NOttry agate lube o rt 
Neb wuIe aetOn- 


* and permit the client routine to access the queue. 


KK KK IK IK I KK IK KK I KK KK IK IK RK KK IK / 


child (qad) /* child */ 


mgd t qqd; 


struct sigevent ev; 


joakicl 1c. jSeiels 


SWLECh ( (pid = fork())) 4 
Seecea ls: 
break; 
case 0: 
printf (“Child collecting messages from 
quewerg.. wae: 
eve, Scio ler, = EIEN) SINE Nally: 
ev-esigey signe — > lGuURG; 


sige (mops atone Ley tere icla wey) CN 
Peauem | Mem motira: 
} 
pause (); 
2 (Me NOt ney (Gece NUT) 0) | 
Peurom (Me nOtinhyd)\ 
} 
exit(0); 
bee, 
Peralne. 
Ta SNC bhiaigl e@nkel) 


break; 


} Ve olnublicls) 
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Interrupt handler 

We’re only interested in SIGURG, for which we’ve been 
waiting 

in pause().We perform our dequeuing function in this 
handler, 

GO Save Ourselves a function call, so 1b 1s Inportane 
that the 

queue variables be visible globally. 

Ue mqerecerve()) (loep performs weads the queue, scnecking 
es 

length each time. When the queue is empty, we return. 


KA A KK IK I KK IK I KK IK I KK IK IK KK KK KK KK / 
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void 


interrupt (what) 


/* interrupt */ 


dice Wiles 


Chan Catalz oa 


Unsigned int priority; 


reiaiewanracule 


Peintt (“Received signal <d=.- \n~, what) > 
Switch (what) { 
CaS SINGING = 
Wine (rye — Mgeecceine (qc, 
2 


Printer (Child received: 25Ss< priory 


(Celavsvemes, ikeksticgst, 
sizeof(data), &priority) ) 
od \ae 7 delta, Priori: 
memset (data, ‘\0’, sizeof (data) ); 
Lie ((illep Weft eneie ie (eel eheie))  —— 10))) | 
if(atr.mq_curmsgs == 0) { 
printf(“No more 
messages\n”); 
break; 
} 
} else { 
Sees (NO; ejsiwal e wie )) 


break; 


break; 


/* interrupt */ 


N 
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The notification mechanism uses a software interrupt 
defined by means of the sigevent structure. To do this, 
we first create the variable: 


struct sigevent ev; 


The interesting parts of this structure (defined fully in 
siginfo.h) are 


struct sigevent { 
int sigev_ notify; 


int S1LgeVv Signo; 


where sigev_notify has the values 


SIGEV_NONE 
SIGEV_SIGNAL 
SIGEV_THREAD 


We will choose siczv_ siIcNaL, since we want to catch an 
interrupt, with the arrival of each message on our queue. 
Later, if we need to turn off notification, we can do it by 
passing in SIGEV _ NONE. 

Since sigev_signo lets us choose which signal can be 
sent to us, we'll choose something safe, that isn’t used 
by other processes. SIGURG is normally sent out when 
an urgent condition exists on a socket or other I/O device 
and, in that capacity, is of no interest to us. Therefore, we 
will use SIGURG, and register it, together with our inter- 
rupt handler, in main (): 


Signal (SIGURG, interrupt); 


Then, in our chiid() function, when our child process is 
running, we define the kind of event we need, and the 
signal number that we're expecting, as follows: 


ev.sigev_ notify = SIGEV_ SIGNAL; 
ev.sigev_signo = SIGURG; 


Immediately after these lines, we call pause(), which puts 
the process into a catatonic state, waiting for the arrival 
of an interrupt. 

In reality, the server and client code would probably be 
in separate files, and run in unrelated processes. Since 
this is merely an exercise, all of the code is in one file, 
as follows. 


MARK SITKOWSKI 
Mark Sitkowski C.Eng, M.I.E.E Consultant to Forticom Security 
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Reliable. 
Trusted by over 500 ISPs worldwide. 


Hyper is the first multimedia cache fully developed in Brazil, by Taghos. 
With Hyper, ISPs can save on network Dandwidth while increasing 
content-delivery speeds, resulting in end-customer satisfaction. 


Features: 

- 24x7X365 always-on support 

- Active monitoring 

- Automatic updates 

- Appliance or license 

- Easy deployment 

- Configuration and reports via 
web interface 


Cache 
Up to 15 Mbps 8 G 1x 11B 
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Up to 300 Mbps B 5x 2 1B 1x 240 GB 
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| Up to 1 Gbps 4 GB 10x 1 TB 1x 480 GB 
Remote Instal| Up to 2 Gbps 24x11B 3x 480 GB 
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Using your hardware 
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How Secure can Secure 


Shell (SSH) be? 


(OpenSSH VPN tunnelling) 


This article is the third part of the series on OpenSSH and 
configurations and includes tricks which make using the 
protocol more secure. This article concentrates on Virtual 
Private Networks supported by OpenSSH. 


What you will learn... 
« How to configure VPN using OpenSSH. 
¢ Good basics to make something new and secure on your own. 


and apps to enable a (virtual) tunnel inside the 

network. In this case, the network means layer 
2 and layer 3 of the OSI (Open System Interconnection) 
model but we are focusing on layer 3, VPN tunnel. Ad- 
mittedly, the OpenSSH supports layer 2 tunnelling, but 
for ease of use and understanding, this article will focus 
on layer 3 tunnelling. 

Please look at the depicted Figure 1. There is a scheme 
of the small network configuration where our OpenSSH 
tunnel is through the Internet. It means that two separat- 
ed private networks are connected directly via Internet 
and packets are routed to the appropriate network to the 
other side. The goal is to ensure secure traffic between 
10.0.0.0/24 and 172.16.0.0/24 networks. VPNs can pro- 
vide protection in unsecure networks as well. 

OpenSSH is very configurable and we can use it inde- 
pendently of existing SSH configuration in order not to 
disturb a terminal access client/server model (further ex- 
planation is in article 1 of the series — issue 11/2013 of 
BSD Magazine). Whole traffic between these networks 
is aS secure aS OpenSSH protocol is secure. There- 
fore, encryption is enabled and no one can easily under- 
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What you should know... 

¢ Unix/Linux commands and SHELL environments. 

« The basics of TCP/IP, routing, and VPN issues. 

¢ Basic configuration of SSH (1st and 2nd parts of the article series) 
« Understanding of security necessities. 


stand what we send through the Internet. Be informed,the 
OpenSSH team quotation from man ssh advises: Since 
an SSH-based setup entails a fair amount of overhead, it 
may be more suited to temporary setups, such as for wire- 
less VPNs. More permanent VPNs are better provided by 
tools such as ipsecctl(8) and isakmpd(8). So, we can use 
it for small traffic but a large amount of bandwidth. 


Internet 


1.1.1.1 (server internal IP) 2.2.2.2 (server internal IP) 


server internal IP) 192.168.0.2 | (server internal IP) 


192.168.0.1] ( 


10.0.0.0/24 (LAN1) 172.16.0.0/24 (LAN2) 


Figure 1. Network schema of VPN tunnelling 
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IP SETTINGS CONFIGURATION 

First, we have to create virtual interfaces for temporary 
use and potentially for future use. Both interfaces should 
be made up on the server and client side. To do it for 
temporary use (until first system reboot or /etc/netstart 
command release) type the following commands: 


server# ifconfig tun0 create 

server# ifconfig tun0 192.168.0.1 192.168.0.2 netmask 
255.255.255.252 

The results should be similar to Listing 1. 

Secondly, we should be sure the forwarding is enabled 
on both sides. To check it, run the command shown below. 
server# sysctl | grep ip.forwarding 
Output (required): 
net.inet.ip.forwarding=1 


If the result is equal to 0, then run the following command. 


server# sysctl net.inet.ip.forwarding=1 


Listing 1. Output of ifconfig tun0 pseudo-device interface on the 
server side 


server# ifconfig tun0 
Lunds Hags=—l<UP, POINTOPOINT miu 1500 
joncaleneiLiew/s 0) 
Groups. uM 
Searls down 
ier ROA OS 0a == =o Eo NGS a0 mermeasik 
Osi it ire 


Listing 2. Output of ifconfig tun0 pseudo-device interface on the 
client side 


server# ifconfig tun0 
tun0: flags=11<UP, POINTOPOINT> mtu 1500 
josenl@ueakiew/ 4 10) 
CROUPS seul) 
Status down 
nen boZ. 6s 082 —-> 192 oe .0b) nermask 
Ob abserdseanesee 
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Output: 


net.inet.ip.forwarding: 0 -> 1 

To set it permanently add _ the line 

ip.forwarding=l1 Into the /etc/sysctl.conf file. 
For the client side, check whether forwarding is en- 

abled and then create the pseudo-device interface tun0. 

The command sequence is as follows; results of the com- 

mands are shown in Listing 2: 


net.inet. 


client# ifconfig tun0 create 
client# ifconfig tun0 192.168.0.2 192.168.0.1 netmask 
LO e2 00820 e202 


Thirdly, for future use of pSeudo-device at start up after 
reboot or similar, create the following file at OpenBSD or 
modify specified file at FreeBSD. 


OpenBSD (on server and client side) 


server# echo “192.168.0.1 192.168.0.2 netmask 
20922995205.252" > f/eco/hostname-tund 

client# echo “192.168.0.2 192.168.0.1 netmask 
25522595912559.252" > 7ete/hostname. Lund 


FreeBSD (on server and client side) 


Server# echo “itconiig: tun0="inet 192.168.0.1 192.160.0.2 
hetmask 259.299.299.202" >>. 7 SUC/ FG. CONE 

Clichty echo “Icon Tund="ineU. loos Ge. .d: Loe. 6e.0.2 
hermask. 25b.250.250.252"" >> (ecc/ rc. cone 


Last but not least, set up the appropriate routing table for 
both server and client. Let’s look at Figure 1 again to under- 
stand better what we should do and along with the packets’ 
destination. For temporary use commands are as follows: 


OpenBSD (on server and client side) 


server# route add 172.16.0.0/24 192.168.0.2 
client# route add 10.0.0.0/24 192.168.0.1 


FreeBSD (on server and client side) 


server# route add -net 172.16.0.0/24 192.168.0.2 
client# route add -—net 10.0.0.0/24 192.168.0.1 


To set the permanent routing entries (static routes) after 
reboot etc., modify your configuration files with the fol- 
lowing commands: 
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OpenBSD (on server and client side) 


server? echo- “Trouwte add. 1727.16.020724 192.166.0.2 > /dev/ 
null 2561” >> /etc/hostname.tund 
client# echo “!route add 10.0.0.0/24 192.168.0.1 > /dev/ 


null 2>e1" S> /ete/ hostname: tind 
FreeBSD (on server and client side) 


Server? echo “static routes="vpnl”’ >> /eéete/re.cont 

server# echo ‘route vpnl="-net 172.16.0.0/24 192.168.0.2”' 
>> f SUC; LC. Cont 

client# echo “static routes="vpnl”’ >> /etc/rc.cont 

client# echo ‘route vpnl="-net 10.0.0.0/24 192.168.0.1”’ 


>> fB0G/ res cont 


This is the end of the discussion on IP settings for VPN 
tunnelling, so let’s begin to prepare OpenSSH server 
and then SSH client to negotiate and start tunnelling. 


Openssh: Server And Client Configuration 

This section of the article focuses on configuration of the 
SSH server and client, which is the same for both Open- 
BSD and FreeBSD operating systems. Let’s assume that 
we use OpenSSH as a server for a terminal use, a file 
transfer or even another VPN tunnelling connection as 
well as an all-in-one. 

It's good to know that we can use a separate sshd 
process started with a specific defined configuration file 
and use a different server port. For example, we use 
standard SSH port 22 for terminal connections and we 
can use non-standard 2468 port for VPN connections. 
The configuration file mentioned above can be different 
as well, so we can forget about any existing SSH con- 
nections, configuration etc. and start to use it only for 
VPN tunnelling. 


Server 
The first step is to copy the existing configuration file 
sshd_config to the new file: 


server# cp /etc/sshd conig /etc/sshd_ config vpn 


After that we need to change some options and values, 
so edit the new file sshd_ config _ vpn and add/change 
the following lines. 

You should be familiar with these options, described 
in the 1% in the series (issue 11/2013 of BSD Magazine). 
There are two new options PermitTunnel and Allow Icp- 
Forwarding responsible for enabling tunnelling and for- 
warding packets relatively. 
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PermitTunnel point-to-point 
Port 2468 

ListenAddress 1.1.1.1 
AllowUsers root 

PermitRootLogin yes 
AuthenticationMethods publickey 
AllowTcpForwarding yes 


On the server side we generate the new private/pub- 
lic key, which we will use to start securing SSH connec- 
tions. That is the same step described in the 1° article as 
well. The command generating these keys is as follows 
(Please leave the passphrase empty to prevent continu- 
ously being asked for that during every VPN connection): 


server# ssh-keygen -b 4096 


As described in the 1* article, copy a public key file to au- 
thorized_ keys file and private file into the client file system. 


Client 
The next step is to copy existing configuration file ssh_ 
config to the new file: 


server# cp /etc/ssh conig /etc/ssh config vpn 


We need to change a couple of options and values as 
well. Edit the file ssh_config_vpn and add/modify the fol- 
lowing lines. 


Port 2468 

Protocol 2 

Tunnel point-to-point 

PasswordAuthentication no 

AddressFamily inet 

IdentityFile /my own path to ssh/private key 


TunnelDevice 0:0 


Some explanation is needed for the TunnelDevice op- 
tion. This option is asking for what pseudo-device inter- 
face number should be used for both sides. 0:0 means 
for tunO. 

After that we are ready to run our OpenSSH VPN tun- 
nel. Let’s run the following command from the client. 


client? ssh.-v -F /etc/ssh/ssh. config vpn =]: root 1.1.1.1. true 
To troubleshoot connection problems it is good to set -v 
option in order to output more debug data during cre- 


ation of the VPN connection. A successful setting of 
VPN tunnelling is shown on Listing 3. 
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How Secure can Secure Shell (SSH) be? 


lf everything works great, we can do some hardening: 
running VPN at start up and prevent to login as any user, 
especially root to terminal on the other side, just allow only 
to create VPN. 

To run the VPN tunnel after reboot, etc., we should do 
as follows (commands for OpenBSD and FreeBSD): 


OpenBSD (on the client side) 


client# echo “/usr/bin/ssh -F /etc/ssh/ssh_ config vpn -1 


foot ols Lol. Bene” Se Jere? re. local 
FreeBSD (on the client side) 


client# echo “#!/bin/sh” >> /usr/local/etc/rce.d/vpn.sh 
client# echo ™; jete/re.subr” >> /usr/ local/etce/ re. d/vpon.sh 


client# echo “rcevar=sshvpn_ enable” 


client# echo ‘command="/usr/bin/ssh -F /etc/ssh/ssh_config_ 
vpn =L root: 1d :i.1i.] true” >>. /usr/ local/etc/re.d/vpn.sh 
client# chmod 550 /usr/local/etc/rc.d/vpn.sh 


client# echo ‘sshvpn_enable="YES”’ >> /etc/rce.conf 


The last thing is to use SSH connection for VPN tunnel- 
ling only. To do that we have to change the following line 
on the server side in the file sshd_ config. 


PermitRootLogin forced-commands-only 
And on the client side add/modify the following line at the 
file ssh_config_vpn. 


tunnel="1”",command="sh /etc/netstart tun0” ssh-rsa 


CONCLUSIONS 

Virtual Private Networks are good solutions to provide 
secure and low cost internal traffic between branches. 
OpenSSH is one of the many such worthwhile methods 
for using VPN tunnels but not the best. You can use it 
for small networks with low traffic between sites. You can 


Listing 3. Successful setting of VPN connection, data from the 
server side 


tun0: flags=51<UP, POINTOPOINT, RUNNING> mtu 1500 
Jone nMena ie e.2) 10) 
Groups. fun 
SPALUS = tac tal ve 
mice 92 oe => bo? oe. Ue2 netmask 
Oct rrii rire 
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References (order of relevance): 

¢ man sshd_config (server side configuration file) 
¢ manssh_config (client side configuration file) 

¢ man sshd (server side binary file) 

¢ man ssh (client side binary file) 

¢ www.openssh.org 


use it aS a Secure gateway to enable new traces as well 
for security purposes only. OpenSSH is very flexible so 
i's good to concatenate SSH terminal connections with 
VPN tunnelling to improve your security access into the 
system. You can try to make up the fake traffic as circum- 
stances for threats and thus decrease your system’s vul- 
nerabilities. 

This part is the last about strictly securing OpenSSH. The 
last one will explain why OpenSSH used for SFTP (SSH 
File Transfer Protocol) is better than FTP or even FIPS. 

In the next series you will find out more about: SFTP 
— known as SSH File Transfer Protocol to opposite of a 
standard FTP. 
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Unix Interprocess 
Communication Using 


Shared Memory 


A shared memory segment is a section of RAM, whose 
address is known to more than one process. The processes 
to which this address is known, have either read only, or 
read/write permission to the memory segment, whose 
access rights are set in the manner used by chmod. 


ost machines dedicated to manipulation of large 
\/ databases are not short of RAM, and figures of 3 
to 5 GB are fairly common. Where two process- 
es coexist on the one machine, communication of data 
through the mechanism of shared memory becomes an 


attractive proposition. 
Among the advantages of a shared memory system are: 


¢ Memory-to-memory data transfers are inherently fast, 
and there are never any connection problems, as can 
occasionally occur with TCP/IP. 

¢ The total amount of memory used by a TCPIIP cli- 
ent server system, in the worst case, is double the 
amount necessary to store the data. First, the cli- 
ent has to extract the data, and store it in local da- 
ta structures, like arrays of structures, or linked 
lists and, then, the server has to allocate the same 
amount of memory, to receive the same data. Memo- 
ry is returned only when the client terminates. 


The drawbacks include: 


¢ The amount of free RAM must always be adequate to 
cater to the maximum which may be required. 


BSD 


MAGAZINE 


sa 


¢ Ifa process terminates unexpectedly without first de- 
leting its shared memory segment, that segment re- 
mains unusable. If the segment is of significant size, 
this could have an adverse effect on the performance 
of the machine. 

¢ The parent/child interaction, at the beginning of the 
operation is slightly more complicated. The child 
needs to communicate the address of the shared 
memory segment, which it has allocated for the data 
it is about to send back to the parent. In order for this 
to be possible, the parent must, first, establish a small 
piece of shared memory, where the child can place 
this address. 

¢ The timing of connections and disconnections is not 
event-driven. 


Shared Memory Commands 

Ashared memory segment is requested with the shmget() 
system call, which has the synopsis: 

int shmget.(key_t key; size t.size, ant similg); 

The return value is the shared memory identifier, an in- 


teger value, which is used in subsequent manipulations. 
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On some versions of Unix, the ‘key’ parameter can be 
synthesized by calling a special function, but for most 
purposes and certainly for ours, the symbolic value 
IPC_PRIVATE, which is #defined as zero, will be exclu- 
sively used. 

The variable ‘size’ is merely the memory segment size 
in bytes while the ‘shmflag parameter is the logical OR of 
one or more of the following: 


IPC CREAT — create segment if key doesn’t exist 

Ipc Exc. — fail if key already exists 

IPC _ Nowart — flag error if we must wait for the segment 

SHM R—make segment readable 

SHM w— make segment writeable 

SHM_ RND — attach on page boundary 

SHM RDONLY — attach as read-only. If this is omitted, the 
default is read/write. 

SHM SHARE MMU — Share virtual memory among pro- 
cesses which share this segment. This may be use- 
ful, if there is a danger of one or more of such pro- 
cesses being swapped out. 

SHM PAGEABLE — As above, but the memory may be dy- 
namically resized within the size allocated. 


Typically, we would make the call as follows: 
#include <shm.h> 
int: shmid; 


size t size = 10000000; 


if ({shmid = shmget (1PC PRIVATE, size, IPC CREAT. | ~SHM_ 
PAGEABLE | 


SHM R | SHM W)) <= 0){ 


perror(“Error obtaining shared memory”); 


Having acquired our shared memory, we now have 
to attach it to the data segment of our process. This is 
achieved by using the shmat() system call. 


void *shmat (int shitid, const. void *shmaddr, ant. shmilg) ; 


The return value is a pointer to the start address of the 
attached memory segment. It is declared (void *) for the 
same reason as that of malloc(). It is the responsibility of 
the user to cast this to the datatype for which the memo- 
ry will be used. 

The ‘shmid’ parameter is that returned from the shmget call, 
above, while shmaddr has the following common options: 


¢ shmaddr = 0 the segment is attached to the first avail- 
able suitably aligned address. 

¢ shmaddr != 0 AND shmflag is either SHM_SHARE __ 
MMU (which means the kernel will share its unpage- 
able memory resources) or SHM_PAGEABLE (mem- 
ory is pageable), the segment is attached to the first 
suitably aligned address at shmaddr. This is the most 
commonly used value, and one we shall use. 


The shmflag argument can have most of the values 
passed to shmget(): 


SHM R | SHM W | SHM RDONLY | SHM RND | SHM SHARE MMU | 
SHM_ PAGEABLE 


We will use shmat() as follows: 


Listing 1. A structure of type struct shmid_ds, which may be used to obtain information about the memory segment 
SULUCr Slim nds: 7 
StLUCE IPE Perms inlPpean, / SoOcmMlses LOMe Seelic ia /, 
size t shm_ segsz; /* size of segment I(bytes) */ 
struct anon map *shm amp; J Seouneme mom Wels ounce ~/ 
USINOIE 1C shm lkent; ) SUMO ShtOn eiIMes teats Wei ie loOekecd ay, 
Oakel Ac slomy lp id, / Vode or Mast shmop: / 
pid t shim epild; joi Wr Chkeatot > / 
shmatt_t SiinpmMenee hy, ( Uisieicl Oily steve fsliwinince: 
ulong t SHMpeMaleine hi je Uisecl Cmlly ior islaiimimice ~/ 
time t shm_ atime; /* last shmat time */ 
css iE Simp cle ume: jo Mkeisie, (slounche, se suns 
UEMege Slain Cre Linke 5 yp Mase science eimouy, 
bi 
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Listing 2. The code for child processes 


/* the shmid of the token memory being passed to the 
emi lal 7 
ligne. fslanimacls 


/* anvartray £Or storing pointers EO ally Ene EOkens, 
passed to all child processes */ 


Unsigned char chptr[NCHILDREN] ; 


Sisiatie ie (ClneiG “Che sOe (SiOM SieterinG), ene lel ielal ieihicrsrojie) 


es 
* token memory, so for child to write its ID and 
shmid 
a 


token = sizeof(unsigned char) * 200; 


We 

? chintd suds clobaly se tt can ebe vaewed bythe 
child’ process, 

- and “dirtached, 

ae 


ioe (Gs lamniot = slimmer (sey ie IC INI RIE a weileia, IC 


CREAT | 0666)) <= 0) { 


perror(“Server: Error obtaining shared memory”); 


ceturn (—1) > 


pe 
* shmat returns a pointer to the segment defined by 
shmid 
a) 
I ((chperliwnveh |e —s (Uns enedechan *) slinam (siimme es, 
Op Slate] INMIDY) ) == (bling LGjars 
dPeCiat a ees 
perror(“Server: Error attaching to shared 
memory”); 


Pet uU rn 1. \e: 


/* the next line cleans the memory we’re going to use */ 


memset ((ehar = \ichpinm |wiriclal a \Or token) - 


/* launch child process +7 


Switch((pid = fork())){ 

Case = ls 

perror(~ Fork”); 

break; 

case 0: / =n chadkd pRocess 
a 

/* connect to database, prepare cursor 

Prom CuMsOm Shrine, 


* declare it, and open it 


ae 


/* attach the child to the token memory */ 


of ( (chpte (Witch newesonly — (uns toneds cian 
psionic siniictol ep, 0p etelisl NEN EMI) |) == gis eirrerel Claieve 
fa earl 
Dekvon( Cliente: Hiron aucaching io 
incoming shared memory”); 
exa p(y: 
} 
SvVIECH (WhMehmetEso te) | 
case 1: 
/* run SQL query to determine 


ahchiloyeve (One lowe ae: IS ieenceeel 27) 


/* allocate shared memory to 
hold all the data */ 


To (shies —Sshmget ee SER Amy, 
Ssizé, PC CREAT | 0666)) <= 0){ 
Diriner( Memory allocation 
eeu deel ar) 
Gulch): 
} 
ie 
* now get a pointer to the 
actual memory, 
* cast to the data type of 
the structure we expect to receive 
a) 
De Cmor. = strdee xyz ) 
Shima shia, 0 ouMeR ND ys miler ez a 
Cerror( Clacnts Error 
attaching to shared memory”); 


Guia eda), 


/* Veode to ferch cirsor Into 


the mpt || atray of structures ~/ 
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/* when all rows have been 
retrieved, write results to token */ 
Spine m (ielhiade so) 
cheer iwnven|y cdecd od). ) When, seme, | shmadi)y, 
break; 
case 2: 
/* —€ode fOr Second Cursor, 
which has 
~ Gitterent curser string 
and data structures 
a 
break; 
case 3: (Ee ENAG Wagecdoney) 
break; 
default: 
primer ( Unknown Cursor in” )- 
break; 


} 


| CO0e tO .cloOse Ene cumcor a7 


break; 
default: /* in the parent process */ 
childrent+t+ 
break; 


Listing 3. The presence of all three signifies that the cursor in the 
child has run, and that data is available 


MOM BOA) /* monitor */ 


int one, uwo,. three; /* dummy variables 


for testing token */ 
int flag = 0; /* termination 
flag? </ 
ane done | NCAILDREN |; 


Chaldren  */ 


/* log of completed 


printf (“Server waiting for clients to connect shm 
Seqmentc.. \a. jie 
ti Oy 


memset((char *)done, ‘\0’, sizeof (done) ); 


while (1) { 
for(i = 1; 1 <= NCHILDREN; a+) 4 
are (ens Ceigue (( lieaeie ) Clayowis | Tp alcl arel aol 


sone, &two, &three) == 3) { 

if(one == || two == 0 || three == Q) 
continue; 

if(done[i] == 99) continue; 


Pinion Chillee oc eset urmed \mes ah\ 
Children. 
done |i] = 99> /* Mack thas 


child as having completed */ 


/* let a thread deal with this, while we 


continue to look */ 
De (prhiveadweneare (cris || inl aUiiiy, 


xserve, (void *)chptr/i])) ! 


0) { 
PLinti (“Failed to Create thr 2d) \ 
nie Pela ie 
} 
/* we don’t want to wait for the thread 
a 
We ((Otelmecerel oleieerCla Celme |eln|| jp Y= 0h 
Petit ( Pamled@towsuate Ene sal)\ 
Wgagete lays 


} 
Elna 


fe\\e) 
ior 


PEM SSevemnr cd) siinmeads saiinini me): 


Childrens 2sd\n7, 


gervpid()), th, chalidren); 
} 
if (children == 0) { [sell our secumsors 
have run, so process the data */ 
flag = 1; 


break; 


} 
if (flag == 1) break; 
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unsigned char *mptr; 


if((mptr = (unsigned char *)shmat(shmid, 0, SHM_RND)) == 
(unsigned char *)-1 


){ 


perror(’ Error attaching to shared memory\n”); 


Unlike malloc, which returns NULL on failure, shmat re- 
turns —1, which results in the need for the clumsy cast to 
(unsigned char *), above. 

Each attached memory segment has associated with it, 
a structure of type struct shmid_ds, which may be used to 
obtain information about the segment: Listing 1. 

The shmcti () system call, is designed to load the contents 
of this structure into a local structure of the above type: 


if (shmetl (shmiad2, IPC oTAT, sbut)-<-0){ 
printf (“Unable to get shm status\n”); 


The variable IPC_STAT signifies that this is a query. The 
variable IPC_SET allows the setting of the members of the 
lpc_perm structure, and changing the following permissions: 


shm perm.uid 
shm perm.gid 


shm perm.mode 


Still considering our hypothetical database access pro- 
gram, described at the beginning of this chapter, the se- 
quence of events, for creating a shared memory client- 
server system, would be: 


¢ Parent process allocates a 100-byte shared mem- 
ory segment, large enough to hold a token, with the 
child’s ID, the number of bytes, or data structures be- 
ing returned and the shared memory ID allocated and 
returned by the child 

¢ Parent forks child processes, each of which is passed 
the shared memory ID of the 100-byte token memory 
segment. 

¢ Child process accesses the database, and queries 
the number of rows which will be returned by the cur- 
sor, which it intends to run. 

¢ Child process allocates shared memory, large 
enough to hold the data, then retrieves the data from 
the database, and loads it into the memory segment. 


Listing 4. Jo access our data 


Worl % 
Xserve (unsigned char shm) ji 


xserve */ 


Int scum id; 
Int Sazes: 


ineue Slannaol 1G 2 


/* extract token data */ 
Sreelane (icloiehiq “= jrsiguil, sel acl Ol, elblg Wel, Gisalaey, 
Ssylahilaitel ie) 
primte( Tiread 2d curser {oucnmuiuds 5d 2 nie, 


jSuluesercl Sell), ue acl, slime ©) 6 


pe 
* shmat returns a pointer to the segment defined by 
shmid_c 
yh 
io (daea euee die — sniseigmed chan) shina (simedte, 
eo SD Une reme 
drciia 7 is) 


perror(“Server: Error attaching to shared 
memory”); 


return (voad *)—])\> 


/* 
* CaS POlMEerS EO Correct data types, 
“and Sel NO. Of vecords 
oh 
SWC (cum 1d) 4 
case 1: 


WISE = (Siecle 4) Clelee! eule axel] - 


lpt = size; 
break; 
case 2: 

/* same fOr Mex cursor */ 
break; 
case 3: 2 cewe <2) 


break; 


| PCS Cue ent, 
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¢ Child process places its identifier, the number of rows 
being returned and the shared memory ID of the re- 
trieved data in the 100-byte token memory segment. 

¢ Parent reads the child’s identifier, the number of rows 
being returned and the shared memory ID. It then at- 
taches to the shared memory segment and accesses 
the data. 


Server 

This code would probably reside in the routine which 
launched child processes, and require the following global 
declarations: Listing 2. The above routine would be called 
once for every cursor and after the last call, each element 
of the array chptr[{] would contain a pointer to the shared 
memory tokens, passed to all the children. We would then 


a d V e lr t 


call a monitor routine, which would scan the elements of 
the array, looking for a child identifier, a row count and a 
shmid. The presence of all three signifies that the cursor 
in the child has run, and that data is available (Listing 3). 

We send a thread to perform the housekeeping on the 
data that has just arrived, so that we can continue to 
search uninterrupted for returned children. 

In the function xserve(), we attach to the memory seg- 
ment, defined by the shmid, returned in the token. We 
store the pointer, returned by shmat (), in a global array of 
such pointers, which we will use in the subsequent data 
manipulation routines, to access our data (Listing 4). 


MARK SITKOWSKI 
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Sniffing and 


Network Information 
Using Wireshark 


Recovering 


Wireshark is a free and open-source packet analyzer. It is 

used for network troubleshooting, analysis, software and 
communications protocol development, as well as education. 
Wireshark is cross-platform, using the GTK+ widget toolkit to 
implement its user interface and pcap to capture packets, it 
runs on various Unix-like operating systems including Linux, 
OS X, BSD, Solaris, and on Microsoft Windows. 


OS X from the official website (http:/Avwww.wire- 

Shark.org/download.html). Most Linux systems 
come with a pre-installed Wireshark tool; however, in the 
case that Wireshark is not installed, you can just follow 
the documentation below and run the proper command 
for each operating system to get it running: Building and 
Installing Wireshark = (htto:/~vww.wireshark.org/docs/ 
wsug_html_chunked/ChapterBuildinstall.html). Wireshark 
needs to be run as the root user in your system and will 
give you a security message that you are running it as 
root, so proceed with proper caution. 


VY ou can download Wireshark for Windows or Mac 


Capture Interfaces 

We can get an overview of the available local interfaces 
by navigating on the Capture menu tab and then clicking 
the Interfaces option as shown in Figure 1. By clicking the 
Option button, Wireshark pops up the “Capture Options” 
dialog box. The table shows the settings for all available 
interfaces including a lot of information for each one and 
some checkboxes like: 
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¢ Capture on all interfaces — As Wireshark can capture 
on multiple interfaces, it is possible to choose to cap- 
ture on all available interfaces. 

¢ Capture all packets in promiscuous mode — This check- 
box allows you to specify that Wireshark should put all 
interfaces in promiscuous mode when capturing. 


By clicking the Start button, we will see a lot of packets 
start appearing in real time. Wireshark captures each 
packet sent from (Source) or to (Destination) our system. 


User Interface 

Before proceeding to analyze our traffic network we will 
explain the basic information we need to know about the 
packet list pane, the color rules, the packet details pane 
and the packet bytes pane. 


Packet List pane 

The packet list pane displays all the packets in the cur- 
rent capture file. Each line in the packet list corresponds 
to one packet in the capture file. If you select a line in this 
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pane, more details will be displayed on Packet Details and 
Packet Bytes panes. 


= Wireshark: Capture Interfaces seal 
Device Description IP Packets Packets/s 
| | ge] etho 192.168.1.74 0 0 
[|] yy wlano 192.168.1.66 5 1 
[| ™ usbmont none 12 0 
[| ( usbmon2 none 10 0 
[|  usbmon3 none 186 0 
[| @ usbmon4 none 3 Oo 
[| il any none 5 1 
[|] il to 127.0.0.1 0 0 


Q@ Start 


| rep | 


Figure 1. Wireshark Interfaces 


Mstop | | @oOptions | | MB Close A, 


The default columns will show: 


¢ No. — The number of the packet in the capture file. 
This number won't change, even if a display filter is 
used. 

¢ Time — The timestamp of the packet. The presenta- 
tion format of this timestamp can be changed. 

¢ Source — The address where this packet is coming 
from. 

¢ Destination — The address where this packet is going 
to. 

¢ Protocol — The protocol name in a short (perhaps ab- 
breviated) version. 

¢ Info — Additional information about the packet con- 
tent. 


Color Rules 

A very useful mechanism available in Wireshark is packet 
colorization. There are two types of coloring rules in Wire- 
shark; temporary ones that are only used until you quit the 
program, and permanent ones that will be saved to a pref- 
erence file so that they are available on a next session. 
So let's focus on the most important name filters. Green 
Color refers to TCP packets but black identifies corrupted 
TCP packets. Light Blue refers to UDP packets and dark 
blue on DNS traffic. For more information or to edit/add 
our own color rules, we can navigate to View menu and 
click the Coloring Rules. 


Packet Details Pane 

The packet details pane shows the current packet (se- 
lected in the “Packet List” pane) in a more detailed form. 
This pane shows the protocols and protocol fields of the 
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packet selected in the “Packet List” pane. The protocols 
and fields of the packet are displayed using a tree, which 
can be expanded and collapsed. 


No Tine ounce Destination 


i 


Pratecal Length Inbo 


See ee ee WS.fSb. TP toe 00060600 GET Of RTP TT 
B OL297R79000 195 751.127.2754 192.168. 1. 7d HITPs XM. 1776 HITPS 1.1 FOO Ox 


WO 14. 15RRTEOD 192.768. 1, 74 195.251, 127.254 HTTP B82? POST findex.php HTTPS 
Va (V4 SGT SOO 195.251, 127 to 192. 168.1. 74 HTTF 410 HTTP! 1.1 2020 See othe 
14 14.4235500000 197.168.1774 195.251.127.754 HTTP 679 GET ¢ HTTPY1,1 

20 14. 702619000 195.257.727.254 152. 168. 1.74 ATTP ex 215 HTTP 1.1 200 OK 


* Frome 4: 633 bytes on wire (9084 bite), 633 bytes captured (35064 bits) on interface 

» Ethernet IT, Sree: Sony_bO:d4:09 (54:59 :ed: 60:84:09), Ost: Themsont_Se:at 30 (OO: Tf: of: aera: 30) 

& Internet Protocol Version @, fre: 162.168.101.074 (192-168. 1.%7a), Det: 195.251.1787 254 (19S 251.1027. 250) 
» Tranteission Contral Py otocal, Src Port: 37372 (37372), Ost Fort: Attp (#0), Seg: 1, Ack: 1, Len: 367 


Figure 2. List — Details Pane 


Packet Bytes Pane 

The packet bytes pane shows the data of the current 
packet in a hexdump style. The left side shows the offset 
in the packet data, in the middle the packet data is shown 
in a hexadecimal representation and on the right the cor- 
responding ASCII characters are displayed. 


Start Capturing — Analyzing 

In this part we will start capturing once more on our net- 
work, so click from Capture menu the Start option. Next 
we will attempt to log in to an account and analyze it into 
the Wireshark tool to see if we can find important informa- 
tion. AS we can see there are a lot of packets that Wire- 
shark appears. A valuable option here is the Filter mecha- 
nism which lets us quickly edit and apply display filters. 
Let's isolate the http packets by typing http string on fil- 
ter tab. AS we can see, the packet list pane shows on- 
ly HTTP protocols. We need to locate the HTTP protocol 
and identify the response of the Host which attempted to 
log in. Looking at the highlighted results, we can deter- 
mine at the info tab that there are packages which con- 
tain the GET method. Let’s focus on this information and 
explain it. 


Note 

GET method requests a representation of the specified 
resource. Requests using GET should only retrieve data 
and should have no other effect. At the packet list pane, 
click the Hypertext Transfer Protocol. As we can see, the 
GET method appears and also a lot of important informa- 
tion such as the request version of the Server, the Host 
and the User-Agent which contains the browser version 
and the OS that the user used to login. Next we want to 
examine the full conversation between the client and the 
server by accessing the Follow TCP Stream option (right 
click on the packet and then choose Follow TCP Stream). 
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A pop-up window will appear which will contain the entire 
conversation on stream content. The red words indicate 
the request and the blue, the response of the Host. Also 
as we can notice, choosing the Follow TCP Stream op- 
tion Wireshark automatically added the property filter in 
Filter area. 


™ Follow TCP Stream 
Stream Conbent 


GET * HTTPS 1.1 
Hot : 
User-Agent: Mozillass.0 (X11; Ubuntu; Linux x86_64; rvi23.0) Geckos 20100101 Firefoxrs23.0 
Accept: text/html, application/szhtml+sml, application/s=xml:g=0.9,"/":q=0.8 
Accept -Langusage: mn-US ens geo.5 
Accept-Encoding: grip, deflate 
Conkie: — wim W319 9679 . 162499516. TPs Peas aa Pak. 3: 
__utmz=1521926072. 127 167 7451.1. 1.utmesr facebook. com|utmecn=(referral) |utmemd=referral | 
|) utmect=/1 .php: gea=PO-2 76604 150-197 109 ae S0%0e: 

PRPS EHO Gb bbOs eas oF Th Poedbecde Opbbhvhséne fF tsul aes sky sts 

Connection: keep-alive 


HIP? 1.17 200 OR 

|| Date: Sat, OF Sep 2013 O9:435:59 GWT 

Server: Apaac hie 

PaP: CP="HOl ADM DEY PSAi COM NAVY OUR OTRo STP IND DEM" 

Set-Cookie: 26236b056396bb02ea297 bl fdedée4cadeleted: expires=Thu, 01-Jan-1970 00:00:01 
GMT; path=" 

Set-Cookie: 26238b056396bb02ea297 bl fdedbe4c=16620b0 dil 22afa5bosso2ofsbabieso: path=/ 
Expires: Mon, 1 Jan 2007 00:00:00 Gut 

Last-Wodified: Sat, OF Sep 2013 09:35:59 GMT 

Cache-Control: mo-store, mo-cache, sust-revalidate, post-check=0, pre-check=0 
Pragma: no-cache 


Ente conwaersataon (E08 ty tes) ¥ 
C1 Find "Fsave AS jaa Print ASCII EBCDIC Hex Dump Caray: © Raw 
GPrelo ‘ied Filter Qut This Stream HE Close 


Figure 3. 7CP Stream Window 


By reviewing the highlighted code closely on Figure 
3, we can see that the index.php action has two inputs, 
the username and the password. We can identify on 
Packet List pane a POST Request method from our 
machine to the server using HTTP protocol. Selecting 
once more the Hypertext Transfer Protocol tree, we can 
verify the request and the method which was used to 
login to the Host. 

O7c0 6c 69 63 61 74 69 6f Ge FF FR Fel TF FF FT Fd 66 
O2d0 Gf 72 Gd 2d 75 72 Gc 65 «Ge G3 Gf 64 65 G4 Od Oa 


O2c0 43 6f 6c 74 65 6c 74 2d 4c 65 Ge 67 74 68 3a 20 
o2TO 31 32 33 Od Oa Od Oa , 65 be 61 €E 15 3c 


lication fx-wee-f 
orm-urle ncoded.. 
Content- Length: 
ge ee rnan 


Figure 4. Bytes Pane. 


Note 

POST method requests that the server accept the entity 
enclosed in the request as a new subordinate of the web 
resource identified by the URI. The data POSTed might 
be, for example, an annotation for existing resources; a 
message for a bulletin board, newsgroup, mailing list, or 
comment thread; a block of data that is the result of sub- 
mitting a web form to a data-handling process; or an item 
to add to a database. 
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As we Can notice on the packet details pane, there is al- 
so a new tree line named Line-based text data. By clicking 
once, we can see the POST request which contains the 
username and the password in clear text. Also checking 
the packet bytes pane we can draw the same information 
on Hex or Bit View. 


Cracking — Analyzing W-Network 
In this part of the article, we will explain how we can have 
access to our WLAN network, how to retrieve the wireless 
password and, finally, how we can use it to analyze the 
traffic packets into Wireshark. 

First we will run the following command to get a list of 
our network interfaces: 


wizard32@wizard32:~S sudo airmon-ng 
Interface Chipset Driver 


wlan0 Unknown iwlwifi - [phy0] 
As we can notice the only available interface is the 
wlanO adapter. To capture network traffic without be- 
ing associated with an access point, we need to set the 
wireless network adapter in monitor mode (Listing 1). 
Next run the Wireshark tool once more and navigate to 
the Capture menu and click the Interfaces option. As we 
mentioned before, monitor mode enabled on monO so on 
wireshark pop-up window select the monO as capture in- 
terface and click start (Figure 5). After starting the capture, 


Listing 1. Setting wireless network adapter in monitor mode 
wizard32@wizard32:~S sudo airmon-ng start wlan0 
Found 4 processes that could cause trouble. 
Lt Faeodunip—nc al replay-ngn Or al eeine ng SuOpsework MnG¢ 
after 
a short period of time, you may want to kill (some of) 
them! 
PIDName 
1103 NetworkManager 
1121 avahi-daemon 
1125 avahi-daemon 
29] Veer supe tecant 
Interface Chipset Driver 
wlan0 Unknown iwlwifi - [phy0] 
(monitor mode enabled on mon0) 
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we locate multiple SSID access points. By typing HTTP 
or DNS on Filter menu, Wireshark doesn’t return any re- 
sult. Looking on the packet list pane, we can search our 
access point or by locating the BSSID (basic service set 
identification) or the SSID (service set identifier). 


Wireshark: Capture Interfaces 


¢ BSSID is the MAC address of the wireless access 
point (WAP) generated by combining the 24 bit Or- 
ganization Unique Identifier and the manufactur- 
er’s assigned 24-bit identifier for the radio chipset in 
the WAP. 

¢ SSID is the name of a wireless local area network 
(WLAN). 


Device Description IP Packets Packets/s 
[] &) etho eae 0 As we can notice, two new tree lines have been add- 
 \ mono Aone ed on the packet details pane. Both of them specify the 
[1  usbmont none 0 communication wireless protocol. 
[|]  usbmon2 none 0 Another way to locate our access point is to use the 
[| fj usbmon3 none 0 airdump-ng tool. 
[|  @ usbmon4 none 0 
[| gel any none 50 wizard32@wizard32:~$ sudo airodump-ng mon0 
[| gl to 127.0.0.1 0 0 Bostp PWR Beacons #Data, #/s CH MB 
ENC CIPHER AUTH ESSID 
| Q@relp | | @ Start Stop @Options | | MM Close | O0:11:8F:8E:4h232 -=30 eal 0 0 1 54 
zm WEP WEP wizard32 
Figure 5. Wireshark Interfaces 

Listing 2. Retrieving WEP network key 
wizard32@wizard32:~S sudo aircrack-ng ~/Desktop/W-packets-01*.cap 
Opening /home/wizard32/Desktop/W-packets-01.cap 
Read 61960 packets. 

# BSSID SS 100) Bnerypiron 

I O0s1Tis SE ssh 4h 232 wizard 32 WEP (21124 IVs) 
Choosing first network as target. 
Opening /home/wizard32/Desktop/W-packets-01.cap 
Attack will be restarted every 5000 captured ivs. 
Sarto. PEW athack, with 24a iys. 

Aiecreckeng: 1.1 
00:00:02] Tested 7 keys (got 21124 IVs) 

KB depth byte (vote) 

0 Oy at ABI 29696) “E44 23160) 40 (27643) "C2 (27392) Det 20368)) 21( 2602) 62 (25344) AS (25344) B3(25344)) DB( 25344) 

ZC(Z 5088) 56 (ZOUGC) AO (25080) 47 (248372) C4 24032)" CB (24332) CE (248352) 1924320) 4424320) 

ese 

4 OF CEA AOA 238928) Ot Ze UCOy MST (2 so mOONZ6 366) 8426306) 93(2585e 00 (25600) 462 5000) Bbio5344) 

C5 (25344) 703 (25088) Gal Z50e6) IB (25088) B4( 25086)" O2( 243832) TE (24832) 25024632) 54124837) 

Rares 

KEY FOUND! (. 4B: AB eFE2IC 202 5] 
Decrypted correctly: 100% 
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To capture data into a file using the airodump-ng tool 
once more, we must specify some additional option to 
target a specific access point. 


wizard32@wizard32:~S sudo airodump-ng -c 1 -w ~/Desktop/W- 
packets --bssid 00:11:8F:8E:4E:32 mon0 


Currently, we can use two different ways to retrieve the 
password from our network. The first one is to use a tool 
named aircrack-ng in association with the .pcap packets 
that we captured using the aiodump-ng tool or using the 
.pcap file from the Wireshark tool and performing a diction- 
ary attack to a specific access point. Let’s analyze them. 


Method: aircrack-ng 

To recover the WEP key aircrack only requires the collec- 
tion of enough data. So, in the terminal we type the fol- 
lowing command to retrieve our WEP network key: Listing 
2. AS we Can see, aircrack decrypted and correctly found 
our WEP network key. Let’s analyze how we can retrieve 
it using the dictionary attack method on .pcap Wireshark 
file (Listing 3) this time. 


-w: Identifies our wordlist file 


Note 

Some of these tools (airmon-ng) might need to be in- 
stalled, unless we are using a system which has airmon- 
ng already installed, such as BackTrack/Kali or BackBox. 


@r aditeoy || Gjcomn || gan 


Figure 6. Decryption Keys Pane 


In both cases, aircrack successfully recovered the WEP 
key. Now it’s time to apply our WEP key into Wireshark 
tool to enable decryption to locate possible sensitive infor- 
mation. Navigate to Edit menu, then click on Preferences 
option and on Protocol tree line locate the IEEE 802.11 
protocol. Next we mark the Enable decryption checkbox 
and then we click the Edit button to add our WEP key. 


The Moment of Truth (TMT) 

We are searching once more for possible http || dns pro- 
tocols. By reviewing the highlighted code closely on figure 
2 we Can see multiple http requests to a specific host. To 
eliminate even more results we will create a new filter which 
will specify only those packages from the specific Host. 
So we locate the GET request and we apply the selected 


Opening /home/wizard32/Desktop/W-capture.pcap 
Attack will be restarted every 5000 captured ivs. 
Siar ting. PEW athack witehe 21096 Tye. 


ee 

2 c/o FE (27648) 4A(26624) B9(25600) EB(25600) 
8E (24832) 9A(24832) AF(24832) 
[ese | 


KEY FOUND! | 4B:AB:EES1C:02 | 
Decrypted correctly: 100% 


Listing 3. Retrieving the WEP network key using the dictionary attack method 


Wizards7dwizard32:~S sudo aircrack—ng —w ~/Déesktoo/mywordlist.txt —b 00:11: 8h: 3h: 4h:32 ~/Desktop/W-capture. pcap 


[00:00:02] Tested 7 keys 


KB depth byte (vote) 
1 Oy) it AB 243) 32427 204 Cot 2 eas) BOUZ66G24 a2 (26 ae (Zacu0) 23a 2 5 C00 eit Z5C00 ) PeD(25 344) Vr o(25544) 
60(25088) DO(25088) E1(25088) D4(24832) 20(24576) 10 (24320) 82(24320) 21 (24064) 4A(24064) 


0D(25344) 2A(25344) 3A(25344) 46(25088) 25(24832) 7B(24832) 
O1(24576) Cl( 2457/6), 5u4 24320)" 18 (24320) 


Arrereckong dh. 


(Gore ZUG. Bs) 


8F (24320) BD(24320) 
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line as a filter. As before, we locate the line which con- 
tains the parameters (username/password). Notice that 
on the packet bytes pane, the Frame tab and the Decrypt- 
ed WEP data tab appear. 


Table 1. POST info request 


Key 
task: login 

username: Admin 

passwd: I3tmeln! 


Protect from Snooping 

All of the above examples show how easy it is to obtain 
sensitive data from snooping on a connection. The best 
way to prevent this is to encrypt the data that’s being sent. 
The most known encryption methods are SSL (Secure 
Sockets Layer) and TLS (Transport Layer Security). 

The Secure Socket Layer (SSL) and Transport Layer 
Security (TLS) are the most widely deployed security pro- 
tocols used today. They are essentially protocols that pro- 
vide a secure channel between two machines operating 


D)m:tier 


over the Internet or over an internal network. SSL Certifi- 
cates have a key pair: a public and a private key. These 
keys work together to establish an encrypted connection. 
The certificate also contains what is called the “subject,” 
which is the identity of the certificate/website owner. 
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Dynamic Memory 
Allocation in Unix 


It is not always possible, at compile time, to know how big 
to make all of our data structures. When we send an SQL 
query to the database, it may return twenty million rows, or 


it may return one. 


ing system to give us memory on the fly, is called 
dynamically allocated memory. This memory is 
outside of the memory allocated to the process, in an area 
known as the ‘heap’, and our doorway into it, is a pointer 
to the first byte, returned by a function called malloc(). 
When we see code containing calls to mailoc(), it may 
be difficult to see what it all means, because of the way it 
has been written, so it may be advantageous to assemble 
this code, piece by piece. 
The basic function, takes one argument, the number of 
bytes of memory required, and returns a pointer to the first 
byte of this, like this: 


yT he mechanism by which we persuade the operat- 


char *pointer; 
int size = 1000000; 


pointer =-malloc(si ze); 


Originally, malloc() used to return a pointer to char, since 
this pointed to one byte, as well as anything could, but 
this was too simple. These days, malloc() returns a 
pointer to ‘void’, which is exactly the same as a pointer to 
char, but the compiler won't let you use it, without a cast 
to your favorite data type. 

Therefore, if we need a character array, in the midst 
of our computation, we would need to rewrite the call, 
to say: 
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pointer = (char *)malloc(size) ; 


If malloc() fails, it returns a NULL pointer, which we are 
duty bound to check, so we code it as: 


1f( (pointer = (char *)malloc(size)) == NULL) { 
printf (“Memory allocation failed\n”); 


} 


Now, it’s starting to look ugly, and can be made down- 
right hideous, by allocating an array of structures: 


Struct tite 
int one; 
int two; 
int three; 
bi 
Struct Thies “pointer? 
int size = 1000000; 
it ( (pointer = (struct. this. *) 
malloc(size * sizeof(struct this))) == NULL) { 
printf (“Memory allocation 
favled\n” )3 
} 


Occasionally, it isn’t possible to know in advance, exactly 
how much memory we need. We may be collecting data 
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from several different sources, to place in one array, and 
only know how much each source will provide, when we 
access It. 

There is another function, which permits us to alter the 
amount of memory which we previously allocated with 
malloc(), called realloc(). 

The realloc() function takes a pointer to a dynamically 
allocated block of memory, and a new size value, and re- 
turns a new pointer, to the extended memory: 


char *pointer; 

int newsize = 2000000; 
temp = (char *)realloc(pointer, size); 

or, to be pedantic, 
1f((temp = (char *)realloc(pointer, size)) == NULL) { 
printf (“Memory reallocation failed\n”); 


} 


lf we need to use our original pointer, for cosmetic, or 
aesthetic reasons, to point to the new memory, we sim- 
ply reassign it: 


pointer = temp; 


Very brave programmers, who have faith in the order in 
which operations are performed, can save the cost of a 
pointer, by recycling the original pointer: 


1f((pointer = (char *)realloc(pointer, 
Size)) == NULL) { 
printf (“Memory reallocation 
failed\n’)? 
} 


Don't do this because, down this road lies madness, and 
a few core dumps. 

All of that was quite easy, really but, occasionally, we 
need an array of pointers to things which, themselves, are 
of variable size. For instance, we may be rifling the bank’s 
database, looking for the loan payment records of all of its 
hapless customers. We don't know, in advance, how ma- 
ny customers there will be, or how many payments they 
made. We start with the declaration of the two dimension- 
al pointer: 


char-**pointer; 
Some programmers declare this kind of pointer as 
‘char *pointer[]’, since this looks like a pointer to an ar- 


ray, but it may be more intuitive to think of this as a 
pointer to a pointer. 
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Our first task, is to make the pointer to a pointer point 
to more than one pointer, In other words, we need an ar- 
ray of pointers, of the correct length. At the moment, all 
we have, is eight bytes of memory, containing garbage. 
Those eight bytes need to contain the first address, of an 
array of addresses. We do this with malloc(): 


Linked Lists 

When we are collecting data, the obvious, and simplest 
way of doing so, is to declare a structure, then declare a 
pointer to its type, and malloc an instance. As we acquire 
more data, we simply realloc our array of structures, and 
tack the data on to the end. 

For getting rows of data out of a database cursor, this 
is great, and you shouldn't consider any other approach. 
However, what happens if you want to remove the 154" 
data element from the array? Or, perhaps, insert the 154" 
element? 

What if, you are storing data from several sources, like 
the roads on a map, which you need to attach to specific 
elements of your array, like the road junctions? 

Not so simple. 

Despite the mental picture conjured up by the word ‘list’, 
a linked list can be one dimensional, two dimensional or 
multi-dimensional. Apart from the street map mentioned 
above, another well-known application is an electronic cir- 
cuit diagram, where there are components, connected by 
wires which, together, form a two-dimensional figure. Add 
to that, airline routes, railway systems, and the dynami- 
cally changing positions of pieces on a chessboard, and 
you get an idea of the usefulness of linked lists. 

The Unix file system uses a linked list to map the blocks 
allocated to all of the files on a disk. As files are added, 
deleted, increase or decrease in size, the linked list is ap- 
propriately manipulated to reflect the current position. 

Okay, so what, exactly, is a linked list? 

One of my lecturers described linked lists as ‘a hundred 
blind men, holding hands in the dark’. 

To stretch the analogy a little further, we can add that 
two of the men have a little red light attached to their 
heads, so you can see them. 

Basically, a linked list is a series of data structures, with 
a special data structure at the head, and another special 
data structure at the tail of the list. 

Let's begin with a definition of the data structure. 


struct queue { 
struct queue *fwd; 
struct queue *rev; 


char data[1024]; 
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Ignoring the embedded data array, notice that there are 
two pointers, each to a type ‘struct queue’ within the da- 
ta structure. One is a forward pointer (*fwd), and the oth- 
er, a reverse pointer (*rev). 

It is these pointers, which link the linked list. Since we 
are using a forward and a reverse pointer, this will be a 
doubly linked list, but for some applications, we can omit 
either pointer, and just create a singly linked list. 

We'll only consider the doubly linked list, as the amount 
of extra effort to do so is minimal. 

First, we need to define the special structures for the 
head and tail. 


struct queue *head; 


struct gueue *tail; 


Since these are currently pointers to nothing, let’s initial- 
ize them to some real memory: 


if((head = (struct queue *)malloc(sizeof(struct queue) )) 
== NULL) { 
printf (“Can’t allocate memory for head\n”); 
return(-1); 

} 

1f((tail = (struct queue *)malloc(sizeof (struct queue) )) 
== NULL) { 
printf (“Can’t allocate memory for tail\n”); 
return (=L) > 


} 


Now we have two blind men with lights on their heads, 
SO we can see them, but they still can’t see each other. 
Let’s fix that. We take the fwd pointer of the head, and 
attach it to the tail, and the rev pointer of the tail, and at- 
tach it to the head. 


head->fwd tai. 


tail->rev = head; 


To identify the head and tail, we need to set the rev 
pointer of the head to NULL, and to do the same with the 
fwd pointer of the tail. 


head->rev = NULL; 
tail->fwd = NULL; 


Now the two blind men have placed their free hand on- 
to a wall, which gives a clue as to how we know we've 
reached either end, when were searching the list. 

Now, we have to add an element to our list, which we 
can do at the head or at the tail. This is usually done within 
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a subroutine, imaginatively called add elmnt() or Some- 
thing, since we don't want to repeat the code a few hun- 
dred times in our program. 

First, we create an element 


struct queue *elmnt; 


i1f((elmnt = (struct queue *)malloc(sizeof (struct queue) ) ) 
== NULL) { 
printf (‘“Can’t allocate memory for elmnt\n”) ; 
recur (1) 


} 


Then, to add this at the head, we do the following, in the 
following order. Changing the order may lead to attempts 
to attach to undefined pointers: 


¢ We first take our rev pointer, and point it to the head, 
whose address we know. 


elmnt->rev = head; 


¢ Then, we point our fwd pointer to the address pointed 
to by the head’s fwd pointer. 


elmnt->fwd = head->fwd; 


¢ Next, we take the rev pointer of the structure pointed 
to by the fwd pointer of the head, and point it to our- 
selves. 


elmnt-fwd->rev = elmnt; 


¢ At this point, we are attached to both head and tail, 
and can safely detach the head’s fwd pointer from the 
tail, and attach it to ourselves. 


head->fwd =elmnt; 


Why did we do the acrobatics in the third step? Why not, 
instead, just say 


tail->rev = elmnt; ? 


The answer is, that we only know the position of the tail 
before we add the first element. However, we always 
know that the rev pointer of the structure following the 
head points back to the head. 

lf we're adding our elements to the end of the list, we 
follow the same method, except that we only know the ad- 
dress of the tail: 
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elmnt->fwd = tail; 
elmnt->rev = tail->rev; 
elmnt->rev->fwd = elmnt; 


tail->rev = elmnt; 


Let us now assume that we have a list of a hundred ele- 
ments, and we want to scan it. 

We can't do an indexed scan, since we don't have an 
array, and we can't make any assumptions about the ad- 
dresses of the elements, since malloc just grabs memory 
from wherever it’s free. 

We need a pointer to struct queue, to traverse the struc- 
tures, SO we define a cursor 


struct queue *cursor; 
Then, we set up a loop: 


for(cursor = head-fwd; cursor->fwd-fwd '!= NULL; cursor = 
cursor->fwd) { 
7* do Loopy things. */ 
} 


The initialisation is obvious: we just need to start at the 
first element, past the head of the list. Occasionally, the 
head and tail contain extra elements, such as queue 
length etc, so it may be necessary to start with ‘cursor = 
head’, but we have no such need. The loop increment is 
equally obvious, in that the cursor sets its new address 
to that pointed to by the current element. 

The loop termination conditions may not be so obvious. 
Why not just say ‘cursor != tail’? Well, you can. However, 
it is not a good habit to get into, since some loops may 
have conditions within them, which cause the cursor to 
increment by more than one element. Down that road lies 
‘segmentation error — core dumped’... 

Looking for a NULL fwd pointer is a guarantee that 
you've reached the end of the list, since only the tail has 
it set to NULL. 

How about searching in reverse? Easy. 


for(cursor = tail->rev; cursor->rev->rev != NULL; cursor = 
cursor->rev) { 
7* Oo Loopy things: */ 
} 


Now that we can insert elements, and create a long list, 
then search our list, this just leaves us with the task of 
deleting an element. 

We need to take the same amount of care with delet- 
ing, as we took with adding an element. For the sake of 


www.bsdmag.org 


example, let's say we want to delete any element with an 
empty data element in the queue structure; 


for(cursor = head-fwd; cursor->fwd-fwd != NULL; cursor = 
cursor->fwd) { 
if (cursor->data[0] == 0x00) { 
cursor->fwd->rev = cusor->rev; 
cursor->rev->fwd = cursor->fwd; 


free(cursor); 


} 


We take the rev pointer of the structure pointed to by our 
fwd pointer, and point it at the address being pointed to 
by our rev pointer. Next, we take the fwd pointer of the 
structure being pointed to by our rev pointer, and point it 
at the address being pointed to by our fwd pointer. 

This has now bypassed our current element, so we can 
free it. Right? Well, the cursor address is still the same as 
that of the original element so, yes, we can. 

However, what happens when we get back to the top of 
the loop? It'll try and set cursor to cursor->fwd. This will 
work — most of the time. 

The problem is, that we just freed that piece of memo- 
ry, which gives the operating system permission to give 
it to someone else. On an idle system (like the develop- 
ment machine), nothing will happen, and the loop will run 
to completion but, on a busy system (like production) an- 
other process might snatch that piece of memory, leav- 
ing Our cursor to jump into the weeds, somewhere on the 
heap, and the testers will call you out in the middle of the 
night to fix it. 

You could decide that you can live with the memory 
leak, and omit the free() call, in which case, you should 
firmly close this page, and seek an alternative career. 

To do it properly, what you need, is a second cursor. 


struct queue *sentry; 


for(cursor = head-fwd, sentry = cursor; cursor->fwd-fwd != 
NUGL? cursor = cursor-Siwd) { 
if (cursor->data[0] == 0x00) { 
SSuLry = Cursor -rev; 
cursor->fwd->rev = cusor->rev; 
cursor->rev->fwd = cursor->fwd; 
free (cursor); 


CUrSOL = Sencry; 


} 


Now, let’s see what happens. 
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As soon as we've found the element we wish to delete, 
we set sentry to the previous element. When we've de- 
leted our element from the list, and freed its memory, we 
set cursor to the same address as sentry, which is the ele- 
ment before the current one. The loop now advances the 
cursor, correctly, to the next element. 

As we mentioned earlier, linked lists can be multi-dimen- 
sional. To create a two-dimensional list, suitable for cre- 
ating matrices, maps, and other topological representa- 
tions, we only need to change the basic element. 


struct elmnt ( 
struct elmnt *fwd; 
struct elmnt *rev; 


struct elmnt *up; 


struct elmnt *dn; 


char data[1024]; 


Now, instead of just a forward and a reverse pointer, we 
have an up and a down pointer, as well. 

The process of adding an element now also includes 
setting the two latter. If the element being added is just 
another linear element, we set the up and dn pointers to 
NULL but, if it is a branch point, we have to set them to 
point up to the newly added structure, and back down to 
the branch point. 

Let's say we already have our linear linked list, and we 
wish to add one element above, and another below the 
first element after the head. 


elmnt->dn = head->fwd; 
head->fwd->up = elmnt; 
head->fwd->dn = NULL; 
elmnt->up = NULL; 


Note that we leave no trailing pointers, but terminate 
them with a NULL, so we can find the end of the branch. 

Next, we add a new element below the first element af- 
ter the head. 


elmnt->up = head->fwd; 
head->fwd->dn = elmnt; 


head->fwd->dn->dn = NULL; 


Note that we don't set the head->fwd->up pointer to 
NULL, as we just added an element there. 

Traversing such a list will require two cursors, in two 
nested loops. The main loop traverses the list in a hori- 
zontal direction, with hcursor, while the two inner loops 
traverse the branches vertically up or down, with vcursor. 
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for(hcursor = head-fwd; hcursor->fwd-fwd != NULL; hcursor 

= hcursor->fwd) { 
if (hcursor->up != NULL) { 

for(vcursor = hcursor; vcursor->up != NULL; 
VCursor = voursor=>up){ 

/* traverse the upward bound list */ 
} 
if (ncursor->Sdn != NULL) { 
for(vcursor = hcursor; vcursor->dn != NULL; 

vcursor = vcursor->dn) { 


/* traverse the downward bound list */ 


Three dimensional linked lists work in exactly the same 
way, with an element defined as 


struct elmnt ( 
struct elmnt *fwd; 
struct elmnt *rev; 
struct elmnt *up; 
struct. elmnit: *dn; 


struct elmnt *out; 


struct elmnt *in; 


char data[1024]; 


where ‘out’ and ‘in’ are the z-axis pointers. 

It is left as an exercise for the reader, to design a func- 
tion to add such an element to a linked list, and then to 
define a traversal function. 


MARK SITKOWSKI 
Mark Sitkowski C.Eng, M.I.E.£ Consultant to Forticom Security 
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COLUMN 


Technology makes a wonderful slave but a 
cruel master. Both Amazon and Tesco, major 
retailers in the UK and worldwide have been 
severely criticised in the media for the use 
of technology to control and monitor staff 
excessively. As IT professionals, where do we 
draw the ethical line in the sand? 


like an axe in the hands of a pathological criminal.” 

Time and again throughout history, as a society 
we have seen the positive contributions made by innova- 
tors, creatives, engineers, architects and humanitarians 
perverted and used for immoral if not evil ends. Tempting 
though it would be to take Einstein's quote and neatly as- 
sign to the technologists the role of the angels and to the 
politicians, bankers, society or whoever else the role of 
the pathological criminal, this would be far too simplistic. 
As far as |am concerned, the actions of black-hat hackers, 
spammers and the various other forms of Internet low-life 
are definitely criminal if not pathological. Of course, we 
must make allowances for the uneducated and the un- 
aware, and | do not include here the average end user 
who has a compromised PC due to poor web hygiene. 
No, we are talking about those whose hearts are dark and 
who choose to use technology for their own agenda, rath- 
er than for the benefit of all. 

Traditionally, the guru was party to esoteric knowledge 
shared with others either for financial, spiritual or social 
status. The first rule for the guru was the protection of 
knowledge and wisdom, as it was widely understood that 
the value of the guru would be inversely proportional to 
the number of people who were cognisant to the “mag- 
ic’. Essentially, the same morality exists today in the form 
of the established professions — Doctors, Lawyers, Ar- 
chitects etc. — the amount of studying, self-sacrifice and 
knowledge that is required to achieve qualification and 
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recognition is great, so the profession then erects barriers 
to those that are not initiated. This in turn leads to sepa- 
ration within society, between those with the knowledge 
and as a consequence — power — and those that do not. 
This has led to cries from the “have nots” of injustice, and 
so the political ideologies of Marxism, Communism, Mao- 
ism, Stalinism, Socialism etc. gained traction and politi- 
cal credence in the 20th century. Irrespective of the basis 
of these riches, whether they be intellectual, financial, or 
physical, there were secrets to keep, professional rela- 
tionships to be nurtured and at all costs the status quo to 
be maintained. 

Aside from political argument as to whether or not Capi- 
talism or any other doctrine is superior, the second rule for 
the guru is do not whistle-blow. Ever. The consequences 
of being an initiate and sharing “dirty washing in public” 
range from censure, character assassination to potentially 
death depending on the quality, importance and potential 
embarrassment caused by the information being shared. 
Just ask Frank Serpico. Unfortunately we cannot ask Kar- 
en Silkwood. Of course, if “leaking” information is useful 
to discrediting another guru, often this will be encouraged. 

So | have no problem at all of awarding Edward 
Snowden the author’s “IT Man of the year” award for cour- 
age, honesty and integrity but qualified with a very small 
pinch of salt. While it is difficult to get to the bottom of any 
spook-based operation, especially taking into account the 
incestuous relationship the media (including the alterna- 
tive media) have with the security services, it is hard to 
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reconcile on a pragmatic basis why ES chose to seek asy- 
lum in Russia. Maybe it was the harsh hand of fate, the 
bitter cup of circumstance that placed him in these cir- 
cumstances. Unless this becomes public knowledge, or 
we manage to share a cup or two of coffee | doubt | will 
ever know. But if | was in his shoes, | would have chosen 
a host that couldn't potentially change his role from truth- 
teller to political pawn a la the exchanges that happened 
on the borders of East and West Germany during the cold 
war. We mustn't judge though — as far as | am concerned 


to discuss, please feel free to email me at me@merville. 
co.uk.). Others are more comfortable bearing their heart 
in short bursts. | aim for 1000 words. Maybe, | am a di- 
nosaur, but as | mentioned earlier context is everything, 
and that is why every guru has to take his personal path 
to enlightenment. Only you know from your personal val- 
ue system if the project you are working on is a threat. 
Does it pass the smell factor? How uneasy do you feel? 
Could you justify it in front of your manager? The CEO? 
The shareholders? Society? The universe? God? 


ES has made a tremendous sacrifice and we must honour 
that irrespective of the geopolitical rhetoric. In my book, 
truth-teller, whether communist, fascist or capitalist must 
be applauded wholeheartedly. 

But lets get back to reality, rather than a media frenzy 
of accusation and counter accusation. The problem with 
committed IT professionals (and | use the word committed 
here in the sense that we are passionate rather than can- 
didates for the lunatic asylum) is that what we are involved 
with is often in the scale of rocket science, nuclear phys- 
ics or whatever. A few thousand lines of code can change 
lives. Our product can be the stiletto that is used to shave 
20% off the staffing levels of an organisation, or maybe 
as system administrators we can be asked to forget major 
“ethical hiccups”. And some of us write code for nuclear 
weapons guidance systems. When you are submerged in 
lines of code, caught in the political management cross- 
fire with a serious deadline due, or just burnt out with the 
whole shebang, it is important to remember the context, 
despite how difficult that is to do. 

Like all of society, IT has its mix of extroverts and intro- 
verts. Personally, | prefer quality over quantity, so | spend 
my time writing long leader columns that will hopefully en- 
tertain and communicate rather than lots of spurious noise 
on Facebook and Twitter. Sheesh, | don’t even have a 
blog. So in Internet terms, | am probably a confirmed in- 
trovert (| do occasionally reply to emails. If you have any 
constructive comments on these columns, or would like 
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To be honest, | feel sorry for the coders and techs in- 
volved in the Amazon and Tesco projects. Payback in 
the form of negative media exposure, no matter how dis- 
tanced you are from the source or target is never pleas- 
ant. At the time, everything was probably justified from a 
management and project perspective, but naturally hind- 
sight has 20-20 vision. In all my years as a tech, apart 
from those leaning towards or in management, | have 
never met an IT specialist who wanted to see jobs lost or 
benefits reduced by the application of technology. Maybe | 
have worked with too many idealists, but we all wanted to 
make things better. Safer. More productive. Less stressful. 
More fun. And at the same time make an honest buck. So 
let’s raise our glasses in New Year 2014 to the Snowdens, 
Assanges, Tesco and Amazon employees who have had 
the courage to blow the whistle. And may they be our en- 
couragement to do likewise as we enter deeper into the 
age of the pathological criminal. 


ROB SOMERVILLE 

Rob Somerville has been passionate about technology since his early 
teens. A keen advocate of open systems since the mid-eighties, he has 
worked in many corporate sectors including finance, automotive, air- 
lines, government and media in a variety of roles from technical sup- 
port, system administrator, developer, systems integrator and IT man- 
ager. He has moved on from CP/M and nixie tubes but keeps a solder- 
ing iron handy just in case. 
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